Country

Hacking: prevention and how to handle

It calls for a lot of expertise and resources in order to successfully fend off systematic, highly sophisticated attacks – and even then, there is always a residual risk. 

Also, any attack is subject to a certain level of economy, and in practical terms any assailant will not launch an attack for an unlimited period with unlimited resources. A potential target selection particularly also depends on the assailant's motive. Government hackers, no matter whether they are secret services, the military or "digital blackwater", i.e. "private hackers commissioned by the government", usually pursue objectives that are different from those of hackers who engage in "hacktivsm" (http://en.wikipedia.org/wiki/Hacker_%28term%29) or have other motives. 

Our information and advice is designed to provide assistance to anyone interested or affected but it does not claim to be complete and it is no substitute for further or more comprehensive security measures.

A typical "victim "

Absolutely any person or organisation that has a website is a potential victim. Although politically motivated hacker networks primarily attack political parties or interest groups, for example, if someone has business relations, for instance, with an organisation classified as 'hostile', that person can also come under attack. 

Cyber criminals who act out of financial interest in reality pose a threat to anyone because they endeavour to make money out of the victim's data. It can involve stolen e-mails for spam campaigns or, for example, financial data. In many cases, security gaps in web Content Management Systems (CMS) are exploited for an attack. However, attacks are by no means limited to CMS.

Prevention: what action should you take?

Create a requirements specification that defines the safety requirements for your CMS and applications and defines the security management process.

Protect your web server and your database communication:

  • Defining guidelines on patch policy: Wherever possible, the most recent security updates should be used, particularly with externally available systems – this applies for applications and the operating systems used.
  • The database access by web applications should be as restrictive as possible –  HTTP requests, for instance, can be restricted via Apache or an application firewall so that only "POST" or "GET" requests are permitted.
  • A two-stage concept with own web service interface for the database increases the security:
  • Security guidelines for access to the web service itself:
  • The access to administration interfaces should be restricted in such a way that access is not possible from the entire Internet (e.g. through access control lists)
  • Outsourcing of the administration interface to interfaces that are only available internally
  • Auditing by corresponding specialists
  • Possible check of the web application by code review

If it is not possible to increase the security of the application itself, hardware appliances or application firewalls, for instance, can be used. These increase the security but cannot replace any comprehensive security guidelines. Hardware appliances often take into account the OWASP Top 10 Threats (https://www.owasp.org/). A protocol validation (HTTP) is sometimes one of the features of these hardware appliances.

We recommend that you subject critical systems to a security audit by specialists before the systems are put into productive use.

Increase the security of your web content management system:

  • Under Linux, the Apache web server security can be increased with mod_security
  • Passwords should be saved in the database in encrypted form
  • Applications should help the user to select secure passwords in which e.g. a minimum number of characters including numbers is requested ("1234" is not a valid password)
  • Already during the selection of the CMS, you should pay attention to the underlying security concept of the software (for instance, "Plone" has role-based security mechanisms and supports OpenID)
  • Consideration of security issues in the selection of the database technology (e.g. PostgreSql is conceptually less  susceptible to SQL injection than MySQL or MS SQL).
  • Keep your CMS up to date!
  • Occasionally, hacker groups send warnings before attacks are carried out. Therefore regularly check messages that are sent to "public" e-mail addresses of your organisation – avoid unmonitored e-mail accounts
  • Monitor public announcements by hacker groups, e.g. via Twitter

Damage limitation: What should you do in the event of an attack?

Politically motivated attacks usually seek maximum attention and are therefore easy to detect (defacement, DoS). It is more difficult when the perpetrator deliberately conceals himself. As, however, attackers send special server requests when they are looking for gaps in security and these requests differ from standard server requests, an attempted attack can be detected through corresponding filtering of the server and firewall log files. Intrusion detection systems give early warning of an attempted attack.

Vulnerabilities can be used to install so-called exploit kits on the server which can cause visitors to the website to infect themselves with malware. Firstly, the attackers want to infect as many computers as possible; secondly, the exploit kit is supposed to remain undetected for as long as possible.

In the event of a hack, please note the following tips and also the communication channels that are used by the hackers themselves:

  • Stopping and partitioning off of any infected systems to prevent further unwanted data transmission. Stay calm!
  • Preservation of the existing infection status. These include:
  • web content
  • Log files of web server and operating system
  • Firewall access logs 
  • Database logs
  • Creation of a precise analysis of any unlawfully copied data in order to obtain an overview of the extent of the attacks.
  • Creation of a catalogue of measures in order to avoid a repeat occurrence of an attack.
  • Crisis communication: This should be done in a proactive manner particularly if customer data or data of third parties are affected by the incident. Please ensure, however, that only confirmed information is published.

Help for those affected:

  • http://cert.at/ 
    CERT.at is the Austrian national CERT (Computer Emergency Response Team)

  • http://www.cybersecurityaustria.at
    The experts at CSA can usually give tips and tricks for initial measures in a prompt and straightforward manner, free of charge.

Help for prevention:

 

Back to the overview

© 2017 IKARUS Security Software GmbH