Risk
6/16/2011
03:45 PM
50%
50%

SMB Websites Face Mass Meshing Attacks

Here's how to protect your SMB website--and what to do if it's been compromised.

-- Do your homework on Web hosting providers, and choose a good one. Hackers love to target shared hosting vendors, because when they find a vulnerability it often leads to a bumper crop of sites they can hit. "Choose your Web hosting provider wisely," Huang said. "Some hosting companies are well-known to have vulnerabilities in their shared hosting environments." He added that there are good online forums where SMBs discuss their experiences with various hosting providers.

-- Run current antivirus software on all of your PCs, and especially those used to manage the website. Huang said that reliable, free options such as Microsoft Security Essentials mean even the leanest SMBs have "no excuse" to not deploy antivirus software.

-- Stay on top of critical software patches. Huang lists Microsoft, Adobe, and browsers as the top three priorities and says SMBs shouldn't delay downloading and applying fixes, especially when mega-updates such as Tuesday's Microsoft release come out.

-- Likewise, if you use turnkey, third-party website components such as shopping carts or content management systems, always keep them updated with the most current version--especially if they're open source. For example, Huang said: "As soon as WordPress releases a new version, the whole hacking community knows about the vulnerabilities of the previous version and they're ready to attack."

-- Scan your site's custom code for vulnerabilities. There are commercial systems available, but budget-conscious SMBs can do this without spending money. Huang points to NetSparker's community edition, for instance, and said that next month Armorize will release its own whitebox version of CodeSecure that will scan up to 10,000 lines of source code free of charge. He also notes a variety of online sources for extra guidance, such as The Open Web Application Security Project.

SMBs looking for extra help in spotting mass meshing threats should look to their existing website vendors; they might be able to leverage monitoring services as part of an existing agreement. Huang said SSL-certificate providers such as Symantec's VeriSign often include such services.

If your site has suffered from a mass meshing attack, act quickly. Here's what Huang advises:

-- The first response for many SMBs--particularly those with limited internal IT staff--should be to call their Web hosting provider. The good ones, Huang said, will often be able to help and may have already identified a fix, particularly if they have other affected customers.

-- Change your site's admin password, but don't do so immediately: First, run an antivirus scan on the PC. If it's infected, the attacker will have access to the new password, too.

-- Scan your systems--including files, databases, and config files--for backdoors. Huang concedes that this might exceed the comfort zone of some SMB owners and staff; in that case, it may be time to bring in an outside vendor.

-- Finally, when the site is clean and secure, begin the crucial process of restoring its traffic and reputation. Google's Webmaster tools allow for blacklisted sites to request re-evaluation, for starters.

If all of this sounds like grunt work, it is. And it's absolutely necessary. Otherwise, SMBs are advertising their site to the wrong audience: Hackers. The bad guys profit when smaller businesses are too busy or careless to attend to online security. But SMBs should have a profit motive here, too. In a follow-up email, Huang wrote: "When attacks take your competitors down, your value will show."

It doesn't pay for small and midsize businesses to protect against security threats faced by only the largest companies. Here's how to focus your efforts on the right threats. Download our all-digital supplement. Download it now.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2130
Published: 2015-03-05
Cisco Secure Access Control Server (ACS) provides an unintentional administration web interface based on Apache Tomcat, which allows remote authenticated users to modify application files and configuration files, and consequently execute arbitrary code, by leveraging administrative privileges, aka B...

CVE-2014-9688
Published: 2015-03-05
Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for WordPress has unknown impact and remote attack vectors related to admin users.

CVE-2015-0598
Published: 2015-03-05
The RADIUS implementation in Cisco IOS and IOS XE allows remote attackers to cause a denial of service (device reload) via crafted IPv6 Attributes in Access-Accept packets, aka Bug IDs CSCur84322 and CSCur27693.

CVE-2015-0607
Published: 2015-03-05
The Authentication Proxy feature in Cisco IOS does not properly handle invalid AAA return codes from RADIUS and TACACS+ servers, which allows remote attackers to bypass authentication in opportunistic circumstances via a connection attempt that triggers an invalid code, as demonstrated by a connecti...

CVE-2015-0657
Published: 2015-03-05
Cisco IOS XR allows remote attackers to cause a denial of service (RSVP process reload) via a malformed RSVP packet, aka Bug ID CSCur69192.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.