Most of the government Agencies, Corporations and Private firms have now embraced website as means of connecting to their constituencies, disseminating public information and making their services accessible. Due to the always on nature of these public facing sites, they are more exposed to cyber attack.
Most of the websites are hacked because operating system, database, plugins CMS or related applications are not updated leaving them exposed to known vulnerabilities:
Some of the common channels used by hackers to take control of your system:
- Password compromised,
- PC or server infected with malware to capture credentials,
- Exploiting known or unknown vulnerabilities of unpatched systems,
- Exploiting another system hosted in same server
To diminish the risk of your site being hacked:
- Always ensure that the operating system and all applications are up-to date.
- Minimal installation of OS with only required applications installed reduces the attack surface area.
- Change Default login page and all default credentials, create complex password and secure them.
- Enforce password change atleast atleast once in every 6 months.
- Follow secure coding, (broken link and session management, insecure direct object references, security misconfiguration, SQL injection, XSS, CSRF, etc…).
- Provide only minimal information in error messages, too much of information makes the work of attacker easier.
- Minimised the use of Dynamic SQL code and where unavoidable make use of prepared statement, parameterized queries or stored procedures.
- Incorporate both client and server side validation, restrict input for length, format, type…., for instance for date allow only number or only characters for name.
- Implement proper file permission for uploaded file.
- If your site has forms, it’s recommended to have ssl certificate.
- Run all software as a non-privileged user, without administrative privileges, to diminish the effects of a successful attack.
- Make sure that the local machine used to access the admin panel as well as the server hosting the site is not affected by Malware.
- Always keep a backup, so that you have the way out if you are hacked.
- Always maintain access and error logs.
The site is hacked, what next:
- first thing first, take your website offline, and display maintenance note.
- clear unwanted content from affected pages.
- scan all the files and folder in your web application with an antivirus. You should also clean and re-host your web on a clean server because there are chances that your server/web app is infected with rootkits, trojans and backdoors or other virus.
- Change your system passwords(CMS Login, Hosting Login, Database, Local machine, FTP / sFTP access credentials, ssh, etc… )
- If your server also hosts other websites, scan them for malicious content.
- Review your access logs and error logs to check for successful remote login from suspicious ip addresses and learn how did it actually happen.
A comprehensive guide on securing website is available at http://csrc.nist.gov/publications/nistpubs/800-44-ver2/SP800-44v2.pdf .