Working in IT, one of the most dreaded calls you can receive is the one that informs you that something on your network has been compromised, especially if that something is your company’s web site.
Organizations spend a great deal of money developing web sites that have become a integral way that they do business. Web sites are used to generate leads, sell products, hire employees, and manage customer relationships.
Having a web site compromised not only means that the business process is interrupted, but the trust that has been built up in customers and clients is at risk.
Large businesses often have different reactions to a compromised web site as a small business would. Some of this stems from the nature of running a large corporation such as hosting sites and databases on your own servers rather than a hosted account. However, a great deal of the difference comes from the need to comply with certain standards such as PCI, HIPAA, and Sarbanes-Oxley. Because of this, administrators of a large web site may be required to notify law enforcement agencies as well as credit card companies. When this happens, the investigation is generally taken out of the company’s hands and responsibility is shifted to the various agencies for a deeper forensic analysis.
When dealing with a compromised web site, there are a few steps that should be taken immediately:
Once you have contained the security breach, your organization should begin planning how they intend to respond. If there is an individual, or team, that has been trained in computer forensics, they will be dealing with the servers that have been compromised. If there is no one on staff that has received formal training, the forensic analysis is best left to an expert as the chain of custody for any evidence on the system may be at risk.
Of course this process takes some time, and time equals money. The good news is, a site can be restored while the investigation is taking place. Web sites and databases are backed up so on new servers, the site and any databases can be restored from a point in time before the attack happened. Make sure that you are not restoring your site from a backup that may contain tools used to compromise your site. This would put you right back in the same situation. It is better to have to spend time rebuilding your site from a previous date then have to repeat the entire process.
While the web site and accompanying databases are being rebuilt there are a few steps that need to be taken to help prevent another attack once your site is back online: All employees who work with the web site need to run a malware scan on their computers with the latest updates. All employees should be made to do this, but anyone who works with the web sites needs to be made to take this step to clear out any keystroke loggers or other malware that may have been used to compromise your site.
Change the passwords for all FTP accounts, email accounts, and administrator accounts for anyone who works on the web site. Other employees should be required to do the same for any credentials that allow them to access the web site or the network.
Update all software used by your web server and web site. Starting with the operating system and working your way through to even the smallest third-party plug-in, make sure everything is patched. If you have custom applications written for your web site, make sure these are analyzed for vulnerabilities and patches are written for them as well. Inspect all the web site’s files for any discrepancies. The web developers should handle this step as they know what to look for. They should also be looking at the file permissions to make sure that nothing is set to anything higher than 755 for folders and 644 for html/php files.
Contact Google if your site has been listed as a dangerous site as a result of the attack. This can help restore your page rankings and have you removed as a dangerous site. Also, contact sites like malwaredomainlist.com to make sure that you are not listed as a dangerous domain.
Until you find out from a forensic investigation what exactly caused the breach you will need to look for any signs that the attacker may have compromised your site once again.
Once you find what exactly caused the breach, respond accordingly. Perhaps there was a vulnerability in a non-essential service that can be shut down, or maybe an web application needs to be patched.
After going through an attack, it is obvious that prevention is essential. Keeping servers and the software they run updated is essential. Requiring employees to use strong passwords should be part of any acceptable use policy. Other steps can be to make sure logs are reviewed so that a future breach is caught early. Intrusion detection systems, intrusion prevention systems, and firewalls will help prevent a great deal of attacks launched against a web site, but as PCI compliance states, theses devices must allow messages to reach the web applications that are exposed to the public Internet and are usually not designed to inspect, evaluate, and react to the parts of an Internet Protocol message (packet) used by web applications so they receive uninspected input.
Since many attacks are initiated by vulnerability in a web application, they recommend deploying a web application firewall designed to inspect the contents of the application layer of an IP packet, as well as the contents of any other layer that could be used to attack a web application.