Indicators of Compromise For Your Website
De’Von Carter of CarTek Consulting is the featured guest in video 1 or a 3 part series that focuses on website security – The focus of this video is indicators of compromise.
Indicators of Compromise for Your Website
Missing or inappropriate content – After you have created a beautiful website that includes all of the graphics and content that your heart desired and your web designer could deliver, you notice some ads that you didn’t authorize. The ads could be anything from online dating services to sales for counterfeit shoes and handbags. This is a tell-tell sign that something is seriously wrong.
Website Performance – As a business owner, you obviously understand that your website is the online representation of company. Because of that understand, you consistently check your website to ensure that everything looks and functions as it should. Well, on this day, you clicked the link to your blog and you noticed that instead of the instant response, it took 30 seconds for the page to load. You initially chalked this up to a service provider issue, but the issue persists for several days. If this happens, please don’t ignore it any longer. Reach out to your technical support staff or CarTek Consulting to investigate.
Broken Code – You may notice that you are getting complaints from customers regarding links on your website not working or sending them to different websites. Maybe you notice that the number of contacts through your “contact us” page has dropped dramatically. This is could be an indication that someone has changed the destination address for the contact form. This is an indication of compromise. Don’t wait, ask for help.
Unexplained User Account – Reviewing your access list for persons approved to make changes on your website should be standard operating procedure. If it isn’t, please make sure you include it moving forward. This simple process of reviewing your access list can tell you if someone who shouldn’t have access, has gained access. In this case, you should delete the account and change all passwords associated with your site, and have any personnel who have access to do the same.
Your Site Has Been Blacklisted – A few years back, I was performing a technology review for a client. While there, they mentioned that they were receiving notices that their domain had been blacklisted. They also complained that they were sending emails to clients and their clients were not receiving them. Well, this was an indicator of comprise. What in-fact happened was there network had been infiltrated and the attackers were using my client’s computers in a botnet (computers that are under command and/or control by an external entity). The service providers recognized this and blacklisted my client’s domain. This meant that they were unable to send emails sourced from their domain because the service providers were blocking them. If you notice any symptoms like these, you should contact your technical support staff or reach out to CarTek Consulting to develop and execute a plan of action.
Suspicious Activity in Your Website and Server Logs – First, let me say, if you detected your website or network has been compromised, that is AWESOME. That means that you are actively monitoring your logs and you are doing what is necessary to protect your company’s reputation and by extension, long term viability. Two of the symptoms you should look for in your logs:
One IP address hitting a particular page over and over, possibly for days or weeks.
You may see a page you don’t recognize in the logs being accessed by many different IP addresses.
Reviewing your server logs regularly and looking for indicators such as these can provide an early warning of attempts by hackers to gain access to your site.
Unexplained Server Processes – CarTek strongly recommends that you monitor your website and infrastructure on a regular basis. Sometimes you may see suspicious process behavior within your environment that you can’t explain. For example, you may notice that your email server process is consistently hovering around 30% usage, even though you don’t have any active visitors on your site right now. This is a pretty good sign that your site may have been compromised.
If you see any of the Signs Listed above, you should respond immediately. In the case where you don’t have the technical expertise in-house, Please reach out to CarTek Consulting. We are here to help SECURE YOUR PRESENT TO ENSURE YOUR FUTURE