Getting hacked sucks; It is expensive to remedy, can negatively impact on your brand and it costs precious traffic and revenue. Unless you have not read the news in the past year, it’s clear that cyber attacks are no longer a rare occurrence but the new reality that we all face.
This paradigm shift can be attribute to several factors, including growth of the internet and a corresponding increase in the number of attackers and targets; an increase in the number of published vulnerabilities, that once discovered are exploited quickly and the availability of hacking tools that enable those with modest skills to launch devastating attacks. Criminal organizations have adapted to this into a full scale enterprise using sophisticated botnets that work day and night to find and exploit vulnerabilities.
Protect Your Organization
Adopting an aggressive, proactive protection plan that minimizes vulnerabilities is the first step. You cannot protect yourself from every possible threat, but a solid plan will dramatically decrease the likelihood that you will be hacked.
We have created the following plan based on our experience hacking, getting hacked and fending off hackers. Our plan assumes that you have basic security measures in place like current antivirus software installed on your computers, strong-password policies and other security best practices in place for your organization. If you don’t, this article on basic organizational security measures ought to help.
The Flint Digital Website Security Plan
Application and Data BackUp
Let’s face it, anything that can possibly go wrong, given enough time, does. Therefore, frequent, offsite backups are essential to any digital endeavor. Having recent backups will mitigate the pain experienced in recovery from hacking, human error, server meltdown or any other inconceivable disaster. Our Protection plan specifies the following seven commandments:
- Backups shall be stored securely off site. Relying solely on local backups is an ineffective strategy should the local system fail.
- Database backups shall be made hourly. Replacing lost data, especially in ecommerce is extremely difficult, time consuming and in many cases, impossible.
- Code shall be managed in version control such as GIT or SVN. Version control allows for storage and tracking of incremental file changes. It also allows an additional layer of redundancy.
- Code and files shall be backed up daily. Application code change less frequently and when version control is implemented properly, recoverable from any iteration.
- Code and file backups shall be saved daily(for seven days), weekly(for four weeks) and monthly(for twelve months). This allows for rapid recovery of recent file changes and an opportunity for deeper forensic analysis if the issue is undetected for long periods.
- Database backups shall be on a hourly(24), daily(7), weekly(4) and monthly(12) rotation. This allows for rapid recovery of recent databases and opportunity for deeper forensic analysis if the issue is undetected for long periods.
- Database backups shall be tested for recoverability. Corrupt database backups have zero value. Incremental testing of database backups should occur at regular intervals of 1-2 months.
The most common mass attacks are those targeting web applications. Open source applications (e.g. WordPress, Drupal, Magento, Django) are often the most targeted. The specifics of hardening a given application requires a deep understanding of the application and it’s known vulnerabilities. Second to backups this this the most important component of an effective Protection Plan. Our Protection plan specifies the following:
- Hide common application signatures. These include application name, version number, login URL and license files.
- Block ip addresses for multiple failed login attempts. This helps to prevent brute force attacks. It can impact legitimate admin users but it is a small cost compared to the benefit.
- Use blacklists to block traffic from known “Bad Actors”.
- Monitor file changes on a daily basis. This is an excellent early detection method to identify a compromised site. We have written a custom script that monitors file changes and daily updates.
- Use SSL on all pages. This will protect the information being sent to and from the user by encrypting it. There is moderate SEO benefit from this as well.
- Prevent File Execution from Media Directories. Media directories by nature are less secure. Most applications will store all assets (images for example) in discrete directories. You should configure the server so that executables can not be run from within these directories.
- No “admin” user. Not much else to say here.
- Keep the application patched. After vulnerabilities are discovered a patch will invariably follow. Applying patches immediately will ensure that you are protected.
A firewall can block malicious traffic before it ever hits your server. This is a very effective line of defense that can prevent common attacks and reduce unnecessary server load. The firewalls we use do the following:
- Works at the DNS level. As traffic is routed to the server the firewall monitors connections for suspicious activity, blacklisted IP’s, spammers, webbots and more.
- Allows legitimate traffic to access the site. It uses complex rules that factor in information such as geographic location, network location and malicious URL patterns to name a few. Rules can be customized to address business requirements.
- Protect against known malicious traffic patterns. This will stop events such as Dedicated Denial of Service (DDoS) attacks.
- Website patching. Filters legitimate traffic vs known malicious requests until application can be patched. This is very useful in zero day exploits.
- Performance boosts. Using DNS caching to serve static assets such as images, CSS and static pages allows the site to run faster. This can significantly increase site performance and help SEO.
Like backups, this is a best practice. Uptime monitoring can serve as an excellent early warning tool that something has gone awry, hacks or otherwise. Knowing your site is down before your customers do is also pretty neat. We recommend that uptime monitoring services do the following:
- Monitor at 1 minute increments. Any less and you might be missing short outages.
- Monitor page load time. Slow sites are almost as bad as those that are down.
- Send push, SMS, and email notifications. It is important to know when a site goes offline and subsequently comes back up.
- Check sites from multiple server locations. Preferably from multiple locations in the US and around the globe.
There are some very clever ways that your site can be compromised, including Malware, that the above methods may not detect. We have recently started to implement continuous malware monitoring that scans the entire directory and provides alerts should malware be detected. This tool includes the following features:
- Platform agnostic usability. Works on all web platforms and custom applications.
- 12 hour incremental scans. Sites are scanned twice daily every day to ensure early detection.
- SMS and email alerts. If there are issues we are notified immediately allowing us to start a cleanup process.
- Blacklist Monitoring. Checks to see if sites have been added to any blacklists. Blacklisted sites can negatively impact search traffic.
- DNS and SSL Change Monitoring. Monitors for more obscure but effective attacks to the domain lookup and site security certificates.
- Continuously Upgraded Malware DB. A subscription to Malware DB helps to spot emerging trends in Malware.
While there are certain efficiencies to hosting multiple sites on one server, separation of websites into discrete server containers can help mitigate damage to other sites should one site become infected. This should be considered on a case-by-case basis as some configurations may make this more difficult.
This is most useful when other preventative measures fail and the Barbarians have breached the wall (no offense to Barbarians intended). We have recently implemented a third party solution that we have tested with excellent results. Based on the files cleaned the original vulnerability is often exposed which allows us to ensure that it the appropriate actions can be taken to eliminate a given exploit.
In regards to website security, an ounce of prevention is certainly worth a pound of cure. I speak from the experience of long nights cleaning infected sites. I realize the plan as outlined is overwhelming. While some of these steps can be implemented by non-technical users most should be placed in the hands of an expert. If you would like Flint Digital to executing a security plan for your organization please feel free to send us a note.