IN LATE 2012, THE WEBSITE OF A POPULAR INTERNATIONAL RESTAURANT CHAIN BECAME VICTIM TO A MALWARE ATTACK. USER CREDENTIALS WERE COMPROMISED AND JAVASCRIPT FILES INFECTED. ATTACKERS MANAGED TO EXPLOIT AN OUT-DATED SUBDOMAIN SITE FROM 2009 THAT WAS STILL LIVE, BUT NO LONGER USED AND LONG FORGOTTEN.
Although this restaurant chain was unlucky to have been targeted, this case serves as a wake-up call to other organisations – who is maintaining your website?
Many third-party hosts are not responsible for updating customer websites, resulting in a higher probability of the site being targeted by hackers who commonly target old and unpatched subdomains. So what can organisations do to minimise the risk of an attack?
Craig Moore, Solentive Software’s Lead Architect advises, “It is important to keep your software up-to-date, especially when it comes to security updates. They are released for a reason and generally as a result of a similar site being compromised. Do not assume that it won’t happen to you as well. The automated tools used to exploit vulnerabilities in software do not discriminate based on the size or content of the site – they simply look for an open door to any system it can find. An old and out-dated subdomain is a common gateway and should therefore be removed by website administrators.
“Do not expose more than you need – if you only need to administer the site from set locations, ask your provider to implement firewall restrictions on the addresses that can access the administrative functions of the site.
“If you’re not sure or don’t quite understand what needs to be done, find someone with the appropriate expertise to assist you. For most organisations, this can be facilitated through the hosting or service provider. You might be charged for the service, but the cost will be minimal compared to the financial impact of having your site compromised or defaced, not to mention, the damage to your organisation’s brand,” Moore insisted.
Organisations will need to ensure that the security of sites and systems are regularly updated. Generally, hosting services or service providers can assist with this.
However, the following should still be monitored:
User Accounts– ensure that any inactive user accounts are disabled.
Passwords– Ensure that all user account passwords are not blank or simple. It always helps to include numbers and special characters rather than just letters. If your system or software does not allow you to enforce these kinds of passwords, communicate with your users the importance of maintaining the security of their user accounts.
Old Pages and Forms – When you no longer require a page, section, or form, remove it from the site. Any unused file can turn into an open door over a few months.
“When you no longer require a site or subdomain, it should be removed, even if it’s only removed from public availability. Finally, check your site every day, even if it is just a quick look across the main pages of the site. This activity will help you to stay connected with your site, reminding you of the state of the content and helps you to detect any problems that might arise. It is always better to identify a potential attack and respond, rather than letting your clients tell you about it,” concluded Moore.