Tips to protect against website defacing

Description

Website defacement could have serious consequences, such as damage to the site's reputation, loss of valuable information and user privacy, loss of money and loss of time.  Therefore, it is critical that you enroll the help of a monitoring service company that has expertise in the area so that a defacement can be quickly detected and restored, reducing any incurred losses. 

The National Data Management Authority is strongly against website defacing and urges web hosts to pay keen attention to the following tips that will enhance protection against this form of cyber-attack.

  1. Security Audits and penetration testing.

Hackers exploit unpatched vulnerabilities. They use open ports to attempt to connect the servers without logging on and execute malicious code over legitimate connection. Regular audit and penetration testing are helpful in evaluating the security of an IT infrastructure (operating systems, service and application flaws, improper configurations, or risky end user behaviour) and better protecting the system.

  1. Defend against SQL injection

Many web applications accept user input from a form and the user input is put directly into the SQL statement within the web application.  Example:

$result=$mysql->query (‘select email, userid FROM members Where email= “$email”’);

You could use bound variables, however it is better to avoid the use of dynamically generated SQL by using stored or canned procedures.

In addition, you could

  • Limit input only to accepted characters,
  • Whitelist.   The use of regular expression, list possible set of values if any,
  • conduct length checks. Check the length of the input against the length of the field.
  1. Defend against Cross Site Scripting

Cross site scripting allows attackers to embed scripting code into the webpage that could perform a variety of unauthorised actions. This may include changing the appearance of the webpage, stealing session cookies of other users of the website, or even as a means of preforming other XSS attacks on other websites. Most fields usually only need alphanumeric characters so be careful with special characters such as <, > and =.  It is also a good practice to use a web Application firewall (WAF).

  1. Use defacement and monitoring tools.

Zero day attacks leave us with very short time to react and preform damage control after an incident.  Defacement monitoring and detection tools are the best solutions to detect any defacement or unauthorised change in the website. Banff Cyber’s WebOrion, Site24x7 and Nagios are tools that could be used to execute this task.

  1. Prepare to respond to defacement incidents

A good detection tool only tells us when our website has been defaced but not the action that is to be taken. As such, it is critical that measures be put in place to respond to such an incident, ensure that the right personnel are on the response team.   It may also be important to have corporate communication and prepare public speeches.
To be secure, the webserver that has been defaced should be taken offline for detailed investigation and forensics, this could prevent deeper penetration of the organisation. You must also take note that the attacker may have penetrated deeper into the organisation to access application servers Databases etc. 

  1. Error Messages

Be careful of the amount of information provided in error messages. Detailed error messages should be logged locally and only simple error messages should be displayed to the user, since providing detailed messages could leak secrets of weakness present on your system and make attacks far easier.

  1. Be sure to enable Both server side/ form validation

Validation should be done on both server and client side to provide additional security. E.g. only allow numbers in a number field and preform deeper validation on the server in the case that this may have been bypassed.

  1. File uploads

Many files being uploaded may contain code that could be executed by the server. Changing the permission of files being uploaded by removing executable permission would prevent the server from attempting to execute it.

  1. Use HTTPs

HTTPS allows for secure communication between devices. When https is used across the entire website, data transmitted from one device to another is encrypted, making it unreadable. It is encrypted at one end and decrypted at the other end.

  1. Choose unique names for your admin directory

An ingenious way that hackers gain access to a website is by going straight and hacking into the admin directories.   They use scripts for giveaway names such as admin and login and focus their energies on entering these folders to compromise them. Choosing unique names could greatly reduce the possibility of potential breach.

  1. Use a different admin address

Make sure that the admin email that is used to login to a secure website is different from any address listed on your website contact info. Keeping this address private would prevent scammers from sending you phishing emails.

  1. Change your database prefix.

If your website uses blog or forum scripts, changing the default database prefix would make it harder for hackers to get data from your database.

Recommendations

  1. The National Data Management Authority Recommends that all Staff members of government entities  undergo Cybersecurity Awareness training at least twice a year.  It is the non-technical individuals that are targets of cyber-attacks.

  2. If the agency does not have a Cybersecurity Department, immediate measures should be put in place to ensure that cyber threats are mitigated and online information systems are secured.