When security goes wrong
The web is full of threats- malicious software, web bugs, phishing websites, and much more. New threats are discovered on a daily basis and security systems and firms are constantly being updated in order to effectively respond to these threats. But as attackers become more technologically advanced and the attacks become more sophisticated, many threats and attacks on businesses are successful.
According to the 2012 Data Breach Investigations Report conducted by Verizon Business, 74% of organizations received a DDoS attack in the past 12 months. The WhiteHat website Security Statistic Report states that 86% of all websites have at least one serious vulnerability. A Gartner study found that 75% of all cyber-attacks target web applications. And another study, State of Web Security, conducted by the Ponemon Institute, found that 33% of all websites had at least one serious vulnerability every day of the year in 2012.
When security goes wrong, the results can be disastrous. Hackers can breach accounts and access confidential client and customer information, legal documentation, financial records, contracts, sensitive company information and much more. Many of the threats come in the form of malware or phishing attacks, but others can include DDoS attacks and social engineering methods.
When a data breach is successful, attackers will typically attempt to use the accessed data to their advantage or gain. If they can use it to blackmail a company, they will. If they can use it to ruin a company, they will. If they can use it for financial gain, they will. And they may delete data, sometimes because there is nothing there they can use, and sometimes in an attempt to cover their tracks. In this article, you will learn some of the best methods and responses to take when once your worst nightmare becomes true, as well as some preventative measures to take to ensure that no matter what happens, none of your company data will be lost.
Hackers
The majority of web attacks are caused my malware and phishing attacks by hackers. Once information has been gained, the hackers will use the information to access company accounts, bypass security systems or gain access to other sections of the company infrastructure.
The rise of hacktivism over the last several years has contributed to the majority of data theft. Hacktivists include major organized hacking groups such as Anonymous, Anti-Sec, LulzSec, AnonGhost, Iranian Cyber Army and the Syrian Electronic Army. These groups attack financial institutions, businesses and government sectors. Many hacktivist attacks are simply designed to destroy websites or cause them to go offline for long periods of time, but they are also responsible for 58% of data thefts. (Citation needed) The most common attacks are performed using SQL injection and cross-site scripting, along with DDoS attacks.
The results from hacking attacks vary from website and company downtime to data theft and data loss, which can include company information, client information or financial records. The loss or theft of such information can be disastrous, costing companies thousands of dollars or more.
DDoS Attacks
Distributed Denial of Service (DDoS) attacks are one of the most common attacks by hackers and hacktivists. The goal of a DDoS attack is to bring down a website or security system by a constant barrage of data packets that eventually overload and cripple the specified target. The most popular hacktivist group, Anonymous, is well-known for its DDoS attacks against political, government and business targets.
Social Media Monitoring
If you believe that your company may be targeted by one of the many hacktivist groups out there, a good place to keep tabs on them is by monitoring social media. Many of them use Facebook, Twitter, YouTube, internet forums and IRC channels to communicate. Often times they will discuss what types of attacks and what types of tools they will use, which will allow you and your security team to be prepared when an attack occurs. Your security team can also create counter-attack tools that will block incoming tools that are used in DDoS attacks.
There are many tools available for download that should be examined as well. From individual tools to entire suites of tools, or configuration tools such as “booster packs,” these tools can be examined and countered by your security professionals.
Professional hackers are harder to defend against because they keep their secrets to themselves. The only discussions may be across instant messaging or some internet and IRC channels with strict membership requirements and encryption for anonymous posting. Your best bet is to subscribe to internet security email lists, join security forums and keep up with security meetings such as DEF CON. If you can get access to hacker intelligence reports and other breaking news, this will help you keep your security team up-to-date on the latest threats.
Another method is to monitor groups or your company brand name by using Google Alerts to send you emails every time a post containing any of the specified search terms is posted. This way, you can keep up with all internet posts that a specific group posts plus you will be alerted if any posts are made containing your brand name. This can help you quickly identify attackers that are plotting against your company.
Emergency Response
In the event of an attack, you should have a proper emergency response plan in place. This should include an emergency response team that can be called upon to quickly act and assess the situation. If the attack is severe enough, the team can be employed 24/7, working in shifts if necessary. This team can be mostly comprised of IT personnel, but can also include outside professional security contractors depending on the attack’s severity.
If outside security contractors are needed, they can evaluate all potential risks including application, end-user, network, social engineering and physical threats.
You should create a contact list of emergency contacts that can be reached immediately in the occurrence of an attack. These contacts should be organized and should include name, phone, email, instant message, etc. Here are some of the areas that should be included:
- IT personnel – IT operations, application development, legal, database administration, IT security, executive management and anyone else who needs to be contacted in case of an attack.
- DDoS protection services
- Internet Service and DNS providers
- If necessary, Independent security consultants and professionals, Security Information and Event Management (SIEM), and Intrusion Prevention System (IPS) vendors. These professionals can quickly assess the situation and give you help when an attack is critical.
- Keep a list of network and server information with your contact list. This information should include web server IP addresses, DNS servers, databases, database firewalls, web application firewalls, network firewalls, switches and routers.
- If available, disaster IP addresses
- Network diagrams of all data centers. These should be updated and maintained so they are the most up-to-date copies available.
(Classify) Analyze Your Risk
Locate databases and applications and determine which of these contain sensitive and confidential data such as social security numbers of clients or employees or any other personally identifiable information, credit card numbers or other financial records and information, personal healthcare information or intellectual property. Classify which areas are most likely to be attacked. Even if they do not contain sensitive information, they may be susceptible to attack if the attacker believes the area contains sensitive information or because this area can be used to gain access to areas that do contain sensitive information.
Lockdown Web Apps
The most common targets of attacks are web apps, so your company should consistently update and test the web app firewall to have it prepared to deflect an attack. Here is a list of processes that should be performed in order to ensure that your web app firewall is best prepared.
Examine the web app profile and update it as necessary. These areas should be checked to ensure that they are up to date:
- URLs and directories that have been deleted but are still listed in the profile.
- Check for characters and parameter values that exceed the maximum lengths and check for irregularities.
- Perform a comparison between the current app profile and the results from recent vulnerability scan reports to ensure that all URLs listed in the profile have been listed in the scan reports and have been assessed by the scanner.
- Policies should be implemented that block white list security violations including parameter values with unauthorized characters such as question marks, brackets, etc. By blocking excessively long form field values, you can prevent SQL injection attacks and buffer overflows.
- The web app firewall can be configured to enforce HTTP protocol compliance. All security policies should be examined and updated. This can effectively defend against evasion techniques, DoS and buffer overflow attacks.
- Enable web app firewall policies such as cross-site scripting and SQL injection. Block all high-risk attack methods including directory traversal, remote file inclusion, local file inclusion, and cross-site request forgery.
- Configure your web app firewall to block scanners and other spyware that may inform attackers of vulnerabilities that can be exploited on your site.
- Ensure that your web app firewall policies are enabled to protect customer-facing, extranet or partner cloud applications.
Consult With the Experts
Security consultants are professionals with years of experience in dealing with web attacks. These are typically individual contractors that will help you set up a competent security system, point out flaws and help you set up applications such as firewalls and network monitoring tools to help diagnose and prevent attacks from being successful.
If you experience an attack and don’t feel comfortable with dealing with it with only your company’s security team, you can bring in the security consultants during an attack to help you monitor the web attack traffic and implement effective measures to counter-attack and deflect the invasion.
Penetration Test
One of the most effective methods to prevent a web attack from being successful is to have top security professional perform a penetration test on your system. Not only will this professional perform vulnerability scans and use the most commonly available tools in an attempt to successfully breach your system, but he will try source code and other attacks that the common script kiddie won’t have access to, but that experienced hackers will know. This is why you need a very experienced security professional, a true hacker that will have the knowledge to throw everything at your system that a sophisticated hacker will use in a real web attack. The results of this test will show you where your vulnerabilities lie and what should be done to correct them.
Assess the Damage
Once the attack is over and the dust has cleared, your security team will need to conduct an assessment by analyzing the impact of the attack. This analysis should include the examination of alert logs from your SIEM, your WAF and the results from all network monitoring tools. There are numerous questions that must be asked including these:
- Did your network suffer downtime as a result of the attack?
- Was application performance or latency impacted as a result of the attack?
- Was any sensitive company data or confidential client information compromised during the attack?
- List the security applications and systems that were running at the time of the attack. Were they effective or were they compromised or breached?
- What improvements can be made to ensure that such an attack is not successful next time?
This assessment will leave you in a much better position of being prepared the next time an attack occurs. Prevention of breaches and data loss is key, but if an attack is successful, is your company prepared for a possible wave of data loss?
Restore Lost Data from Cloud Backup
Having data stolen is bad enough, and the disastrous consequences can cost companies thousands or millions of dollars, or it can cause them to go out of business altogether. This is especially true in cases of data loss. When data is deleted, corrupted or just vanishes, what can a company do? Hopefully your company is one of the few companies that actually have some type of backup system in place. But according to a recent study, approximately 1/3 of all companies do not have any backup or disaster recovery system in place. In cases of data loss, these companies are at an extreme risk of losing data that cannot be recovered. Contracts, client information, legal documents, financial statements and records, and much more- even if they can be replaced, it can take months or even years to recover all of the lost information. While cloud backup will not prevent an incident such as malicious hacking or security breach, it can be the difference between success and the demise of the company if an incident does occur. If a hacker is able to breach security and delete data, the data can be instantly recovered from the cloud backup service, and business operations can continue as normal.