Crownpeak Logo Posted by Crownpeak March 30, 2015

Understand the Cyberthreats Targeting Your Websites

According to the much respected 2014 Verizon Data Breach Investigation Report, 35% of cyberattacks exploited a poorly protected website or web application. Web servers remain a preferred target of opportunity for malicious attackers – the entry point to get at confidential information more often than databases, endpoints and point-of-sale terminals.

Every insecure website your organization has increases its potential attack surface for cybercriminals. Types of cyberattacks range from the opportunistic breach to so-called Advanced Persistent Threats. There are numerous other kinds, but it’s illustrative to examine these two ends of the threat spectrum when it comes to protecting your website portfolio.

Opportunistic cyberattacks target weakly protected websites

Another name for opportunistic breaches is the "drive-by attack". The hacker is not singling out the victimized company, but rather exploiting any organization with a hole in its web defenses. Many times the opportunistic attacker targets an organization simply because they are in a chain of trust for a bigger, higher value target that they really want to hit. These most often include financial services companies and retailers. For example, the much publicized Christmas 2013 breach at retailer Target was initiated by a cyberattack on the firm’s heating, ventilation and air-conditioning contractor.

Opportunistic attackers may search for websites that contain a particular security vulnerability – seeking out “apps that have remote access services running with guessable passwords” or “all sites running vulnerable WordPress installations”. Opportunistic attackers will exploit the weakest websites that they catch in their dragnet, exploiting paths of least resistance along the security chain.

Make no mistake: opportunistic attackers are out purely for financial gain. Their breaches access and steal user account credentials, keys or certificates that could be useful, bulk customer credit card data, personally-identifying information, or data repositories on potential high value targets. These attackers are just as happy grabbing the low hanging fruit – provided it’s unprotected and they can turn a profit for their effort. Many times this information ends up on the cybercriminal black market, sold to the highest bidder.

Advanced persistent threats target your trade secrets

Advanced Persistent Threats (APTs) don’t necessarily need to be “advanced” to succeed – because attackers will only do as much as they have to in order to break into a network – however they are always “persistent” because the threat remains constant.  The APT attacker wants you, only you, and whatever it is you are protecting so dearly.

These organized, well-funded attackers can be individuals, organizations or nations that target government agencies, the military, defense contractors, manufacturers and utilities. APTs include state espionage, corporate espionage and cyberwarfare.  APT attacks go after trade secrets, intelligence or information to be used for advantage, exploitation or extortion. One example is the U.S. Justice Department’s 2014 indictments of state-sponsored Chinese hackers for industrial espionage attacks on US Steel, Alcoa and Westinghouse.

Similar to opportunistic threats, APTs can target anyone along the ultimate target’s web security supply chain. The attacker will leverage a compromised asset on the web perimeter which may be weak (or considered unimportant) to work their way into the network. Often attackers will chain together multiple attacks to get what they need. They rely on reasonably sophisticated command-and-control infrastructure, where duties are segregated among different attackers or teams managing different steps in a complex attack with sophisticated data exfiltration methods. APT attackers always try to avoid detection and cover their tracks.

5 security actions to protect your website portfolio

Obviously the best defense is a strong offense. Most of the website attacks reported to Verizon in 2014 exploited common CMS options such as Joomla, Drupal and WordPress. Choosing a highly secure, enterprise-grade web content management system and hosting infrastructure for your websites is a great first step. Here are five other things your organization can do:

  1. Understand who might attack you. Who's out there, what are their motivations, and why might they want to attack you? If you're a manufacturer that is concerned about trade secrets and theft of intellectual property, then defend against corporate espionage. If you are a military contractor, then plan for cyberwarfare. Come up with a prevention strategy for each scenario, which may require a mix of disparate web security solutions.
  2. Strengthen your web security. Cyberattackers are looking for any hole in your defenses. Protect the easiest points of access to your website properties. Raise your minimum bar of security with web application firewalls and testing tools such as malware detection. Secure necessary endpoints (such as employee mobile devices). If you are managing your own CMS, schedule updates and patches regularly (if you aren’t managing your own CMS, see action #5). Finally, monitor whatever you can to detect breaches earlier. An ounce of prevention really is worth a pound of cure here.
  3. Plug holes in your web perimeter. Realize that an attack can start anywhere on your public network, so you need to know every website and web application you have. Focus on the weakest or riskiest possible websites in your portfolio. Even temporary websites should still be made reasonably secure. Shut down legacy sites if poorly trafficked. Enforce multi-factor user authentication and lockout procedures. Target your site vulnerability remediation efforts at the easy stuff – by prioritizing the elimination of common coding errors such as SQL injection, cross-site scripting, input validation and buffer overflow across the board.
  4. Make it expensive for the attacker. Assuming that web security is even a moderate priority at your organization, stopping attackers at the front door comes down to implementing reasonable deterrence. A layered approach to web security tries to stay one step ahead by adding roadblocks to the likely attacker’s breach process. Slowing attackers down burns their time and energy. From an economic standpoint, the longer it takes them and the harder it is to compromise you, the more likely it is that they'll move on to other organizations that are easier to exploit.
  5. Compel your hosting provider to attest their security posture. If you are not managing your own CMS, better ask your hosting providers some tough questions to ensure their infrastructure is secure. Thorough attestation should include documentation, policies and procedures, testing regimens, certifications, and physical security precautions. If providers don’t satisfy your information security or compliance requirements, find one that does… or consider WCM vendors who offer site hosting solutions to further minimize your attack surface.