Website Defacement

CERT-GH of the Cyber Security Authority provides the following advisory.

This is to advise all Web host users, managers and business owners in Ghana of cases of website defacement identified by CERT-GH

WHAT HAPPENED?

Website defacement is an attack on a website that changes the visual appearance of the site or webpage. It is similar to drawing graffiti, only it happens virtually as a kind of electronic graffiti and is a form of vandalism. These are typically the work of hackers, who break into a web server and replace the hosted website's content with one of their own. Attackers have different motivations when they deface a website. Political motivation is one, which is often used to spread messages by "cyber protesters" or hacktivists. Other attackers may choose to deface a website for fun – to mock site owners by finding website vulnerabilities and exploiting these to deface a website. In both cases, website owners face damages to their business and reputation once their sites are defaced.

DOES IT AFFECT ORGANISATIONS AND USERS?

Consequences of website defacement vary. Here are some consequences an organisation may face after its website has been attacked.

  • Potential Data breach:Due to the noticeable nature of web defacement, some hackers use them as a form of diversion. With everyone's attention focused on the defacement, these hackers can then carry out more sinister activities without getting detected immediately. For instance, they could steal sensitive information, install malware, perform privilege escalation or carry out other nefarious acts.
  • Losing Customers:Visitors may be redirected to sites teeming with malicious code. They might be prompted to download malware onto their system, or it downloads itself undetected. In such cases, your regular and new visitors may be concerned about visiting your page in the future, and you can potentially lose customers.
  • Impact on PageRank and Traffic:Search engines rank your website according to a number of factors. A higher ranking website comes up first in the results of a search query. If your defaced website is flagged or identified as causing harm to its users, a search engine such as Google might add you to its blacklist. This means that you can lose up to 95% of website traffic that could be gained from Google search results.
  • Effect on Brand Image:Internet users worry about safety during their online experiences. If they notice you have failed to establish security measures on your website, they automatically conclude that you are either completely negligent in securing your website or are extremely ignorant about information security challenges and threads. Such conclusions can be devastating for your organisation's image.

MITIGATION PROCESS

  • Security audits and penetration testing: Unpatched systems are a prime target for hackers since they are susceptible to numerous vulnerabilities. Other known vulnerabilities are unused open ports on servers which allow attackers to connect to servers without authentication, allowing remote execution of malicious code when connected to an unsecured networks. Regular security audits are helpful in evaluating the security posture of an IT infrastructure (operating systems, service and application flaws, improper configurations, or risky end-user behaviour) and better protect the systems hosting the website
  • Defend yourself against SQL injection attacks:SQL injection attacks involve the use of SQL statements inserted into data entry fields to affect the execution of predefined SQL statements. With the modified SQL statements, attackers have extracted sensitive information and obtained registered users' authentication details on a website and corrupted databases, making websites unusable. To defend against SQL injection, use parameterised statements that ensure that the inputs passed into SQL statements are treated safely. Escaping inputs from input fields which treats all inputs, especially special characters, as part of the string, not the end of the string, also defend against SQL Injection
  • Defend yourself against Cross-site Scripting (XSS) attacks:Cross-site scripting is when an attacker tries to pass scripting code into a web form to attempt to run unauthorised code on the website. It tricks an application into sending malicious script through the browser, which believes the script is coming from the trusted website. Each time an end-user accesses the affected page, their browser will download and run the malicious script as if it was part of the page. To defend against XSS, validate the input, which ensures the application renders the correct data and prevents malicious data from harming the site, database and users.
  • Use defacement monitoring and detection tools: The effects of web attacks leave companies with a short time to react and perform damage control after an incident. Defacement monitoring and detection tools are the best solutions to monitor any defacement or unauthorised integrity change in websites. These are some of the most used monitoring and detection tools: Banff Cyber's WebOrion Defacement Monitor, Site24x7 and Nagios. Careful evaluation and configuration of the tools to detect both full and partial defacements involving HTML and linked images, scripts, and stylesheets are important to ensure an effective tool is in place.
  • Prepare to respond to defacement incidents: What do we do when our website is defaced? An exemplary detection tool only tells you when your website is defaced but not the action to be taken. Therefore, it is important to put in place a set of incident response procedures and ensure that you have the right personnel to respond to a web defacement. The technical response team will likely involve the security manager, web admins/web developers, and web servers. It may also be important to have corporate communications prepare a public message to preserve the company's web reputation and have a maintenance web page to inform customers. Make an action plan for handling the restoration process that will shorten the time for recovery.

HOW DO I STAY SAFE?

Here are general minimal tips and advice from CERT-GH as precaution steps:

  • Do not click on any email attachment or links provided in emails, social media platforms, or websites you are unfamiliar with.
  • Apply security updates and patches and stay up to date with the latest system versions.
  • Report the incident to CERT-Gh on report@cybersecurity.gov.gh
  • Share the advisory and precaution steps among users in your organisation and communities for awareness purposes.

Key Advice:

Website defacement can damage a site's reputation, loss of valuable information and user privacy, loss of money and loss of time. It is therefore expedient to put mitigation and prevention techniques in place. To conclude, keep these tips:

  • Keep software up to date
  • Watch out for SQL injection
  • Protect against XSS attacks
  • Beware of error messages
  • Validate on both the browser and the server-side
  • Check your passwords
  • Avoid file uploads by users
  • User HTTPS
  • Get website security tools