Security Experts:

My Web Site Has Been Hacked - Now What?

What to Do When Your Website Has Been Hacked

While the following is by no means exhaustive, here are a few suggestions to begin with if your web site has been hacked.

With recent industry reports indicating the alarming fact that more than 70% of all web sites have critical security flaws, you will most likely find yourself on the wrong end of a web application security breach at some point. It may have happened already; it may happen in the near future; or you may have hackers visiting your site every few weeks to gather up information.

If you own a business with an investment in a web presence, whether it is the core of your e-commerce sales or just a brochure site, you should be thinking about what could be a soon-to-be personal relationship with the hackers behind your very own security breach.

What do to When Your Web Site is Hacked?We all know the healthy lifestyle mantra – prevention (eat right, exercise, don’t smoke), early detection (periodic doctor visits), and health care (treatment when needed) – it may not prevent or cure all major diseases, but it will lower your chances of contracting one and raise the probability of surviving once you lose the dice toss. No magic here.

The three major parts of web application security, just like keeping yourself healthy, are just as straightforward – prevention, catching the problem as early as possible, and reacting quickly once a problem is discovered.

Prevention – Securing your Site

It goes without saying that the most cost-effective web security move is to make it as hard as possible for a hacker to breach your site. You’re never going to be hack-proof – recent breaches at Lockheed, Zappos and the FBI have taught us that. But you don’t want to find yourself on the wrong side of what we call “script kiddies” – usually young people who can write code and just get bored with their Xbox.

Security prevention runs the gamut from the simple and inexpensive to costly and complex enough to require outside expertise.

While the following list is by no means exhaustive, here are a few suggestions to begin with:

Turn on your system logs. System logs tell the story of access and usage of your IT system. If you have the resources, logs will also allow your IT staff to continually look for one-time and persistent security attack attempts – perhaps with the chance to prevent a breach before it happens. Even if you are short on resources and cannot monitor your logs, they will let you understand how breaches occurred and determine what data, if any, was compromised.

Encrypt all sensitive data as widely and as securely as possible. Data encryption is a one-time development effort, relatively inexpensive and worth its weight in PR gold should you have a data breach. Those magic words, ‘The data was encrypted – but no sensitive data was compromised,’ will make even the most embarrassing breach bearable.

Perform a vulnerability scan on all public web sites. Review all of your public web site scans and secure these sites against web application attacks. This is almost always a job for an outside firm with web application security skills.

Install virus and malware prevention throughout your organization. Malware has become a major security problem for home as well as business computers. A single malware-infected computer in your office can be the gateway through which hackers gain access.

Educate your staff. The weakest security link is often your staff. A skilled social engineer will run rings around a trusting, naïve staff member. It’s a mean world out there, fueled by a cybercrime community that often finds it easier to sweet-talk your staff out of company logins than it does to hack your secured IT environment.

Review your cyber insurance. When I speak to my associates on the risk management insurance side of the world, they tell me cyber risk insurance is one of the least-understood and least-used means of protection at our disposal. Remember, your IT environment will be breached one of these days regardless of what digital security efforts you make. If your financial liability is potentially large enough to break the company, I would suggest you cover your bets with cyber insurance.

Monitoring – How You Know When You Site is Hacked

An even more amazing fact is the finding that in more than 60% of cases, it took months or years for the web site owners to detect they had been hacked. A clever hacker will compromise your systems and then set up subtle traps that allow him to collect data into the future.

We can assume most business owners would prefer to find out about a breach before seeing it announced on CNN.

Some of the simple means of detecting that your site has been hacked include:

Obvious web site changes. Some less than subtle hackers, perhaps script kiddies, will deface or delete portions of your web site just because they can and because it scores points among their hacker friends. Think of it as the equivalent of some kid spray painting your new car. Not so hard to spot.

Warning messages from search engines, browsers and anti-virus software. If your site has been hacked in order to spread malware, access may trigger warning messages across the Internet. Pay attention when friends or clients tell you they have seen these messages when using your site or systems.

Anomalies in your system FTP and HTTP system logs. All external access activities can be tracked through these logs. If your IT staff is sophisticated enough (this is rare) or you have installed monitoring software, you should be able to pick up warning signs of unauthorized or malicious activity. (You have turned on your system logs, haven’t you?)

Suspicious code in your web site files. Many utilities can scan your web site’s source code for malicious code. Your IT team can probably run these scans periodically – and should.

Curing a Breach – What You Should do When Your Site Gets Hacked

When a security breach does occur, you and your staff need to be ready to react quickly and decisively. My suggestion for the days, weeks and months following the breach are:

Don’t panic. Carefully consider the nature of the breach, what data (if any) has been compromised and what your next steps should be. A premature release of breach information may cause unnecessary customer panic or, even worse, make you look even more inept when you revise the information you sent out too hastily. Take the time to respond with dignity and thoughtfulness.

Review your system logs to determine how the breach occurred and what information was compromised. A good set of system logs will usually tell the complete story of your breach (I may already have asked, but did you turn on your system logs?). I would suggest bringing in security experts to review your logs to find out exactly what happened and to determine what data was compromised – this is usually pretty complicated stuff.

Repair your systems. While this may seem to be a ‘duh’ statement, you would be surprised at the number of businesses that take an incredibly long time (never in some cases) to repair known vulnerabilities. Also, while repairing the system that was breached, take a look at your entire IT world for similar problems – after all, it is probably the same IT staff that handles your whole IT environment.

If required, inform the appropriate financial and legal entities as soon as possible. Depending on your industry and location, there may be strict requirements for reporting security breaches. Your problem will only get worse if you are caught hiding information. Keep in mind the fact that many security breaches become public knowledge as the compromised data is used or sold within the cyber underground, not as a result of company disclosure. As a side note, an embarrassingly large number of security breaches are never discovered by the company that was breached.

Inform your users or clients and customers as soon as appropriate. There is a line between keeping your company viable and an ethical responsibility to your clients and customers. My thoughts on this line are to consider the damage that might be done to your clients and customers and think about how you would expect to be treated.

Call your insurance company. Depending of the nature of the breach, you may be covered for some, if not all, of the expenses associated with your recovery. Rather than assume you are on your own financially, I would suggest giving your insurance company a call. You might also take the time to talk about cyber insurance with your agent – for the next time.

Finally …

Basic web security isn’t rocket science. It just takes time and attention – perhaps the two things most businesses have the least of. But, like the healthy lifestyle drill, you don’t want to be on the wrong side of misfortune just because you were too busy.

Subscribe to the SecurityWeek Email Briefing
view counter
Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Wlasuk is an expert in web security - from evaluation to web development and remediation.