At first glance, Web site defacement looks scary. According to security software and consulting firm Herndon, Va.-based...
TruSecure Corp., the number of Web site defacements have risen from 20 per day to more than 1,500 per day in the last three years. Among the reported victims are the Web sites of the U.S. House of Representatives, several NASA facilities and the U.S. Geological Survey.
But for most medium and large businesses, Web site defacement "is a very low risk, unlikely kind of thing," says TruSecure's Director of Research Services David Kennedy. That's because those larger organizations long ago mastered basic security processes, such as keeping servers updated with the most recent patches. These days most defacement victims, he says, are "mom and pop" organizations that lack the staff and knowledge to secure their own Web servers or rely on Web hosting services that don't have proper security procedures.
While international issues such as the war in Iraq spur politically motivated defacements, Kennedy says the most frequent type of defacement is the "Kilroy Was Here" variety, designed to show the attacker accessed the Web site rather than disfigure it with embarrassing or costly graffiti. Even last July's widely publicized Web defacement contest (sponsored by hacker groups) failed to hit any well-known sites.
However, it only takes one defacement to ruin your day, if not seriously hurt your career. The threat of Web site defacement is yet another reason to be sure you (or your Web site hoster) are practicing security basics. And if your Web site content is particularly sensitive from an economic, regulatory or legal standpoint, you may want to consider specialized software or hardware that specifically looks for, and can automatically repair, suspiciously altered content.
One of the most important tactics for preventing defacement is also one of the most common security practices: Keeping your operating systems and applications up to date with the latest security patches. "The things that cause defacements are usually really old flaws" in operating systems, says Kennedy. Take, for example, the well-known buffer-overflow vulnerabilities in Windows that allow hackers to flood a temporary data storage area with excess data. These vulnerabilities can be used to take control of an application server or change its contents. Security analysts warn that other popular operating systems such as Linux also need careful patching as they, too, have become popular targets for hackers.
Other common-sense defenses against defacement include configuring as read-only any file systems used to store static content in Web servers and securing databases that house Web content within separate DMZs (demilitarized zones.) All these measures, however, assume you have a well thought-out and well-enforced policy for securing your Web servers. This begins with deciding who is responsible for patching the servers, configuring the firewalls and moving Web content from staging servers to production systems. It may also include the need for stronger authentication to prove that site administrators are who they say they are before making changes to your site.
Block those changes
A number of tools that protect against general attacks on Web servers will also, of course, help prevent Web site defacements. They include application firewalls and secure server operating systems. Intrusion-detection systems are of little use in protecting application servers, says Kennedy, because they only notify of attacks after they happen.
If your Web site holds extraordinarily sensitive information (such as customer financial data), if it's a very high-profile site or if a defacement would cripple your business, you might want to consider tools that find, detect and can automatically reverse unauthorized changes to your site. I mentioned several of these, such as Liquid Machines and Pedestal Software Inc. in last month's Roundup on security policy enforcement tools.
One company focusing specifically on Web site defacement is Gilian Technologies Inc. Their G-Server sits in an organization's DMZ and compares the digital signatures of every object leaving the Web server with the digital signatures of the archived, original object. If the signatures match, then the content is sent to the user; if not, the content is replaced with a backup of the original object and sent to the user. The G-Server also monitors incoming HTTP and HTTPS requests to guard against common attacks such as buffer overflows that make it past a firewall and intrusion-detection system, the company says.
With prices starting at $24,900, products like the G-Server aren't for everyone. They can be a good investment for companies such as Amazon.com "whose very existence relies on people trusting" the content on their site, says Kennedy. But for everyone else, he says, if you can handle the basics of server security "you don't need to get into rocket science" to protect your Web site from cyber-graffiti.
About the author
Robert L. Scheier writes frequently about security from Boylston, Mass. He can be reached at firstname.lastname@example.org.