The Big Website Guide to a Hacking Attack

Working in IT, one of the most dreaded calls you can receive is the one that informs you that something on your network has been compromised, especially if that something is your company’s web site.

Featured Blog Posts

Risks in Social Network Security

In a recent article, Social networks face user content risks, Web application vulnerabilities, Robert Westervelt ... read more ...

Securing Cloud Data

Cloud computing has raised quite a few questions with IT management, especially when it comes ... read more ...

Cisco Announces New Context-Aware Security Enforcement

Cisco continues to invest in addressing the rapidly changing security needs of businesses today with ... read more ...

Organizations spend a great deal of money developing web sites that have become a integral way that they do business. Web sites are used to generate leads, sell products, hire employees, and manage customer relationships.

Having a web site compromised not only means that the business process is interrupted, but the trust that has been built up in customers and clients is at risk.

Responding to an attack

Large businesses often have different reactions to a compromised web site as a small business would. Some of this stems from the nature of running a large corporation such as hosting sites and databases on your own servers rather than a hosted account. However, a great deal of the difference comes from the need to comply with certain standards such as PCI, HIPAA, and Sarbanes-Oxley. Because of this, administrators of a large web site may be required to notify law enforcement agencies as well as credit card companies. When this happens, the investigation is generally taken out of the company’s hands and responsibility is shifted to the various agencies for a deeper forensic analysis.

When dealing with a compromised web site, there are a few steps that should be taken immediately:

  1. Contain the exposure immediately. A server, or servers, that have been compromised should be disconnected from the network to minimize any further data loss. Disconnected means unplugged from the network, don’t turn off a machine that has been compromised. Do not touch, access, or log into compromised systems. Doing such can damage any evidence on the system.
  2. Log every action taken in responding to the attack. Make sure to preserve this log, as well as any other logs available (security logs, web server logs, database logs, etc).
  3. Consult your legal advisors. They will inform you of what steps need to be taken as far as compliance is concerned. They should also be able to tell you which law enforcement agency you should contact. If your IT department will be performing a forensic investigation, they will need to be aware of this as well.
  4. Inform the appropriate law enforcement agency of the attack. They may not be able to do anything since many attacks come from foreign countries but you need to at least inform them, especially if there was theft involved.
  5. Inform credit card companies if you have a merchant account on-site. This is required for PCI compliance. They may send a forensic team to investigate so it is important that you discuss with them what actions you have taken and what your organization plans to do next. They will probably inform you of what steps they require as well.

Once you have contained the security breach, your organization should begin planning how they intend to respond. If there is an individual, or team, that has been trained in computer forensics, they will be dealing with the servers that have been compromised. If there is no one on staff that has received formal training, the forensic analysis is best left to an expert as the chain of custody for any evidence on the system may be at risk.

Getting Back Online

Of course this process takes some time, and time equals money. The good news is, a site can be restored while the investigation is taking place. Web sites and databases are backed up so on new servers, the site and any databases can be restored from a point in time before the attack happened. Make sure that you are not restoring your site from a backup that may contain tools used to compromise your site. This would put you right back in the same situation. It is better to have to spend time rebuilding your site from a previous date then have to repeat the entire process.

While the web site and accompanying databases are being rebuilt there are a few steps that need to be taken to help prevent another attack once your site is back online: All employees who work with the web site need to run a malware scan on their computers with the latest updates. All employees should be made to do this, but anyone who works with the web sites needs to be made to take this step to clear out any keystroke loggers or other malware that may have been used to compromise your site.

Change the passwords for all FTP accounts, email accounts, and administrator accounts for anyone who works on the web site. Other employees should be required to do the same for any credentials that allow them to access the web site or the network.

Update all software used by your web server and web site. Starting with the operating system and working your way through to even the smallest third-party plug-in, make sure everything is patched. If you have custom applications written for your web site, make sure these are analyzed for vulnerabilities and patches are written for them as well. Inspect all the web site’s files for any discrepancies. The web developers should handle this step as they know what to look for. They should also be looking at the file permissions to make sure that nothing is set to anything higher than 755 for folders and 644 for html/php files.

Clean Up Your Image

Contact Google if your site has been listed as a dangerous site as a result of the attack. This can help restore your page rankings and have you removed as a dangerous site. Also, contact sites like malwaredomainlist.com to make sure that you are not listed as a dangerous domain.

Monitor Web Activity Closely

Until you find out from a forensic investigation what exactly caused the breach you will need to look for any signs that the attacker may have compromised your site once again.

Respond to the forensic results

Once you find what exactly caused the breach, respond accordingly. Perhaps there was a vulnerability in a non-essential service that can be shut down, or maybe an web application needs to be patched.

Prevention

After going through an attack, it is obvious that prevention is essential. Keeping servers and the software they run updated is essential. Requiring employees to use strong passwords should be part of any acceptable use policy. Other steps can be to make sure logs are reviewed so that a future breach is caught early. Intrusion detection systems, intrusion prevention systems, and firewalls will help prevent a great deal of attacks launched against a web site, but as PCI compliance states, theses devices must allow messages to reach the web applications that are exposed to the public Internet and are usually not designed to inspect, evaluate, and react to the parts of an Internet Protocol message (packet) used by web applications so they receive uninspected input.

Since many attacks are initiated by vulnerability in a web application, they recommend deploying a web application firewall designed to inspect the contents of the application layer of an IP packet, as well as the contents of any other layer that could be used to attack a web application.