There are lots of different types of attackers that may be very interested in your website. Here are some of the most frequent ways attackers can use your website and your web presence to harm your company, your users, and the public at large.
- Serving up malware: By embedding malware into an existing website, attackers trade in on the trust you’ve built with your users to compromise their machines. The embedded malware then executes “drive-by” attacks on your users that can significantly damage your brand and impact a large number of people. A Chinese hacker group did this to target specific individuals registering for a foreign trade lobbying group ahead of a China-US presidential summit.
- Spoofing your website: Attackers can create websites with addresses similar to yours. They use confusingly named or similar domain names to the websites you already own. By tricking users to go to these fake sites, attackers can harvest credentials and plant malware to gain access to the users’ systems. For example, in this recent Microsoft announcement, the domain “my-iri.org” was meant to imitate the International Republican Institute located at the domain “iri.org.”
- Getting into your infrastructure: Best practice is to keep your external website separate from your infrastructure. But that’s not always practical. If your website is connected to other parts of your network, an attack against your website can serve as a gateway for attackers to move further into your enterprise.
- Denial of service: Your website is your primary face to your customers. It’s also the place where angry customers can express their dissatisfaction. Hopefully, unsatisfied customers will stick to filling out a web form to lodge their complaint. But if they’re bored and skilled, occasionally they’ll take it to the next level and launch a denial of service attack to take your whole web presence offline.
- Defacement: At one time a common activity on the Internet, defacements have waned over the years. But hacktivists and others threat actors still target websites to gain control and change content to promote their ideology. Defacements are often crude, but they can still be jarring to your users and impact your company’s reputation.
Five things you can do
Managing cyber risk is a balancing act of cost versus risk, and your specific situation will be unique to your own organization. But there are some general truisms when it comes to securing your web presence and we’ve pulled together 5 recommendations that should apply to most organizations.
- Two factor everywhere: In general, you should use two-factor authentication (2FA) anywhere possible. But, in particular, when it’s your website, you should enable 2FA for administrators to limit the impact of compromised passwords. Many content management systems (CMS) don’t have 2FA support natively. However, there are plugins for every major CMS that enable 2FA support with common one-time password solutions.
- Don’t run your own website: Really, running a website is a lot of work. Maintaining the operating system, staying current on the content management system, staying current on best configurations and practices and monitoring for various attacks is more effort than many companies are willing to put into their website. The good news is that you can pay others to run websites for relatively cheap, sometimes even free depending on what your requirements are. If you’re running your website today, consider outsourcing it as soon as possible.
- Monitor for look-alike domains: Your website only has 1 correct spelling. Your users, however, don’t really pay that much attention, and there are many misspellings and deceptively named domains that may trick them into visiting a malicious site. There are lots of services that you can use to monitor potentially malicious domain registrations so you can work with registrars to take down infringing domains and warn your users.
- Patch and audit: If you do run your own website, you’ve got to stay current on patches. Modern CMSs make patching easy. Usually it just takes clicking a button. That’s super important because attackers can weaponize published vulnerabilities in CMSs in a matter of hours. It’s important that you patch as soon as possible and audit administrative access logs for suspicious activity.
- Limit plugins: Historically, CMSs have been a disaster from a security perspective. However, due to the risk they represent to websites, most CMSs have really stepped up their game and are relatively secure. The weak link is now the plugins that users install to add functionality. Be sure to vet your plugins before you install them. Some are well written and audited; others are sort of “fly by night” and have little to no support or documentation. Often, hosted CMS providers have a list of acceptable plug-ins. These lists are usually a good starting point to pick which ones you want to use.
The guidance above should help you explain how and why attackers compromise websites and what you can do to prevent it. But after the latest headline passes, use something like the NIST Cybersecurity Framework to explain your broader security strategy to execs. You’ll find it’s an invaluable tool that you can point to when the next headline hits about the risk they are consciously (or unwittingly) accepting based on the security investments they’ve approved.