Five quick checks to prevent attackers from weaponizing your website
If you work in security, chances are good you got an email from someone Monday (August 20, 2018) asking if your organization was “safe” from the attacks that Microsoft announced by the Russian threat group APT28 (also called Fancy Bear). Microsoft and other large infrastructure providers are in a unique position to see potentially malicious activity and determine not just the target, but the source of the attack as well. In this case, they’ve identified yet another attack from APT28, an organization with a history of interfering with the U.S. democratic process. And beyond simply announcing these attacks and the takedown of the malicious websites, Microsoft is also rolling out a program “free of charge to candidates, campaigns and related political institutions using Office 365.” But if you’re not a candidate, campaign or related political institution, what’s your takeaway from this announcement?
What would they want with your website?
You may be thinking “we aren’t a target for nation-state actors.” While that’s true for many, there are lots of different types of attackers that may be very interested in your website. Here are some of the most frequent ways attackers can use your website and your web presence to harm your company, your users and the public at large.
- Serving up malware: By embedding malware into an existing website, attackers trade in on the trust you’ve built with your users to compromise their machines. The embedded malware then executes “drive-by” attacks on your users that can significantly damage your brand and impact a large number of people. A Chinese hacker group did this to target specific individuals registering for a foreign trade lobbying group ahead of a China-US presidential summit.
- Spoofing your website: Attackers can create websites with addresses similar to yours. They use confusingly named or similar domain names to the websites you already own. By tricking users to go to these fake sites, attackers can harvest credentials and plant malware to gain access to the users’ systems. For example, in this recent Microsoft announcement, the domain “my-iri.org” was meant to imitate the International Republican Institute located at the domain “iri.org.”
- Getting into your infrastructure: Best practice is to keep your external website separate from your infrastructure. But that’s not always practical. If your website is connected to other parts of your network, an attack against your website can serve as a gateway for attackers to move further into your enterprise.
- Denial of service: Your website is your primary face to your customers. It’s also the place where angry customers can express their dissatisfaction. Hopefully, unsatisfied customers will stick to filling out a web form to lodge their complaint. But if they’re bored and skilled, occasionally they’ll take it to the next level and launch a denial of service attack to take your whole web presence offline. The size and scope of DoS attacks have increased dramatically in size over the last year, according to Arbor.
- Defacement: Once a common activity on the Internet, defacements have waned over the years. But hacktivists and others threat actors still target websites to gain control and change content to promote their ideology. Defacements are often crude, but they can still be jarring to your users and impact your company’s reputation.
Five things you can do
Managing cyber risk is a balancing act of cost versus risk, and your specific situation will be unique to your own organization. But there are some general truisms when it comes to securing your web presence and we’ve pulled together five recommendations that should apply to most organizations.
- Two factor everywhere: In general, you should use two-factor authentication (2FA) anywhere possible. But, in particular, when it’s your website, you should enable 2FA for administrators to limit the impact of compromised passwords. Many content management systems (CMS) don’t have 2FA support natively. However, there are plugins for every major CMS that enable 2FA support with common one-time password solutions.
- Don’t run your own website: Really, running a website is a lot of work. Maintaining the operating system, staying current on the content management system, staying current on best configurations and practices and monitoring for various attacks is more effort than many companies are willing to put into their website. The good news is that you can pay others to run websites for relatively cheap, sometimes even free depending on what your requirements are. If you’re running your website today, consider outsourcing it as soon as possible.
- Monitor for look-alike domains: Your website only has one correct spelling. Your users, however, don’t really pay that much attention, and there are many misspellings and deceptively named domains that may trick them into visiting a malicious site. There are lots of services that you can use to monitor potentially malicious domain registrations so you can work with registrars to take down infringing domains and warn your users.
- Patch and audit: If you do run your own website, you’ve got to stay current on patches. Modern CMS’s make patching easy. Usually it just takes the push of a button. That’s super important because attackers can weaponize published vulnerabilities in CMS’s in a matter of hours. It’s important that you patch as soon as possible and audit administrative access logs for suspicious activity.
- Limit plugins: Historically, CMS’s have been a disaster from a security perspective. However, due to the risk they represent to websites, most CMS’s have really stepped up their game and are relatively secure. The weak link is now the plugins that users install to add functionality. Be sure to vet your plugins before you install them. Some have been well written and audited; others are sort of “fly by night” and have little to no support or documentation. Often, hosted CMS providers have a list of acceptable plug-ins. These lists are usually a good starting point to pick which ones you want to use.
So … back to that “are we safe” email that higher-ups love to send after every headline. The guidance above should help you explain how and why attackers compromise websites and what you can do to prevent it. But once the latest headline passes, I’d recommend using something like the NIST Cybersecurity Framework to explain your broader security strategy to execs. Once you school them on it, you’ll find it’s an invaluable tool that you can point to when the next headline hits about the risk they are consciously (or unwittingly) accepting based on the security investments they’ve approved.