Website Defacement: How Much Damage Could Be Done to Your Business?
On the face of it, defacing an organization’s website might look like a prank. Substituting a new home page for the real page with a message “This site has been hacked!” shows that somebody got past whatever security was in place. Recent defacements of Indian websites have included those of the National Green Tribunal in New Delhi and the Government Law College (GLC) in Mumbai, apparently for reasons of political propaganda.
Much more worrying, however, is the potential for deeper damage to applications, systems, and networks, not to mention data theft and corruption. Many of the possible methods attackers use to attack website content can be extended to other IT assets of an organization too.
Defacement or Full-Scale Hack?
Technically, website defacement and website hacking are often considered different. The term website defacement is used when the content of a website is illegally changed or deleted. The system hosting the website continues to function as before, except that it now displays the new, corrupted content. By comparison, website hacking affects the system, giving attackers partial or total access to files and control of an organization’s IT resources.
Using these definitions, it is possible for a website to be defaced but not hacked, or vice versa, hacked but not defaced. But what then about cross-site scripting (XSS) attacks? In these cases, the website content is corrupted by adding code that then attacks other systems, when the content is downloaded for display in browsers or use by other applications. However, the website system itself may not have been modified or accessed in any way, other than for the illegal modification of the website contents.
The Real Dangers Facing an Organization
Defacement of websites is only the tip of the iceberg. The unseen dangers are far greater. Risks include:
- Access to the entire database of contents used to drive a website, including possible confidential payment, customer, employee, student, or patient records
- Remote control of the application for managing the website, its contents, and its security settings
- Remote control of the server on which the website is hosted, with possible compromise of other applications and the potential to connect to and compromise other systems and the network that links them together
- Installation of malware to spy on data, exfiltrate existing and new files, develop further remote control, or sabotage normal system operations
- Destruction or corruption not only of current versions of data, but also of backup versions if these are not properly secured, making it difficult or impossible for an organization to repair damage done by an attack.
Yet in many cases, basic security controls can already protect organizations and their websites from such attacks. Download this free 10-point checklist for website security to see if your website and website server are adequately protected.
Continual Vigilance is Mandatory
If security weaknesses exist in a website system, it is critical to detect and fix them. Attempted attacks or attacks in progress must trigger alerts, and immediate containment and neutralization. Vulnerability and attack detection are continual activities, because IT systems change constantly and attackers use these changes as part of their attack methodology.
The time and effort required may mean that organizations are better served by a professional third party service, instead of tying up their own internal IT staff. The Paladion OnDemand website security service addresses these issues. Penetration testing (ethical hacking) can objectively assess security weaknesses, seeing website systems as hackers see them, to spot flaws before those bad actors can exploit them. Website defacement monitoring continually compares what a website is currently displaying with a correct baseline version, instantly raising the alarm if any differences arise.
Website Security Starts Now
Now is the time to make sure that your own organization is properly protected, starting with your 10-point website security tune-up. These 10 controls can already reduce or eliminate exposure to hackers, and save your organization from damage to both assets and reputation.