Your web site is hacked - what now?
16 February 2006
In the aftermath of the publishing of The Prophet Mohammad cartoons, hacking of web sites has become a more frequent activity. Certain individuals and organizations, seem to believe that this is an appropriate tool for promoting their views.
In particular web sites in Denmark, which was the country where the cartoons first appeared, have been the target for such hacking and defacing of web pages.
It is not unlikely that organizations will experience similar defacing attacks as a device for protest even more frequently in the future. If this should happen to your corporation, it is important that you have made certain preparations in advance.
Every organisation should establish an incident response plan (IR) in case of a web defacing cyber attack. By doing that you are in realisation that an attack could happen to you and if it were to occur, the IR plan would detail how you would deal with it. If your orgainization is the victim of such an attack, you will have lots of things to think about and tasks to take care of. That is not the time to create an IR plan.
As usual, proactivity is the better approach.
An incident response plan should address the following issues:
1. What will be your initial response?
Your initial response is perhaps the most important issue.
The normal action would be to disconnect the compromised computer from the Internet immediately and not using it at all. You should rather copy the entire content of the computer untouched to another machine, and use that one as the device where you conduct the investigation of how the break-in was accomplished, when, by whom, etc. The original hacked computer is important evidence and should not be tampered with.
Ideally you should have a pre-configured computer ready to replace the hacked one, in order to get your web site up and running again as soon as possible.
In certain circumstances, if you expect the hackers to return to your computer, there is a certain advantage in leaving the compromised computer on-line, acting as a honeypot. However, this is a considered to be a rare situation.
2. How did this occur?
On order to protect yourself against repeated defacing, it is of great importance that you find out how the defacing of your web site was carried out.
Was it a weak password or exploitations of vulnerabilities in a piece of unpatched software? Could you have prevented the attack or not, e.g. by having a stricter policy for deploying program patches? Should there be a corporation policy that can prevent such an event, and if there is such a policy, was it discarded or overlooked in this case?
3. Who committed this crime?
Answering this question may be critical.
If the deed was conducted by an insider, you are in severe need of finding out who it is in order to act immediately. If the attacker is not an employee and is not within legal jurisdiction, you will face a host of different issues, particularly if it is tracked to other countries. Computer crime laws vary from country to country.
4. Are you required by law or other regulations to report this breach of security?
There are various regulations in different countries that may require you to report security breaches like the one discussed here. You should find out what rules apply in your country.
5. Will you attempt to prosecute the offender?
According to the 2005 CSI/FBI Computer Crime Survey from USA, only 34% of the respondents reported intrusion to law enforcement agencies. Many organizations do not want to report these incidents due to possible negative publicity.
You should define your view on this before an attack occurs.
6. What lessons are to be learned from this event?
Hopefully you will never find yourself in a situation where your web server is defaced. However, if this should happen, and after the incident is sorted out, you should take necessary time to evaluate what happened, how it could happen in the first place and implement changes to keep similar incidents from happening again. Training employees in the revised practises should be part of this activity.
