How secure is your website?
The New York Times website was hacked on Tuesday (Aug. 14) and remained dark until yesterday (Aug. 15). Marc Frons, chief information officer for The New York Times, said in a statement that the outage was "the result of a malicious external attack" carried out by the Syrian Electronic Army (SEA).
Although The New York Times breach was a politically driven cyberattack, the incident serves as a lesson on cybersecurity for businesses everywhere. From competitors to anyone with a checkbook and a grudge, if an attack of this magnitude can happen to The New York Times, it can certainly happen to small business websites, too.
According to a national survey by Newtek, a small business solutions and resource center, 86 percent of small business owners believe their websites are secure, with 41 percent saying their website is the prime revenue driver of their business. But with the combination of growing security vulnerabilities and employees falling prey to malicious Web and email content, small business websites need more protection than ever.
Invest in technology and education
"The main takeaway for small businesses from the New York Times attack is: a) you need to know exactly what kind of security your providers are giving you, and b) another round of employee education about best security practices and how not to become the victim of spear phishing attacks is a good investment," said Vann Abernethy, senior product manager at NSFOCUS, an anti-DDoS solutions provider.
"The attack that hit The New York Times and Twitter this week was actually an attack against a service provider," Abernethy said. The service provider, Melbourne IT, had a reseller partner who was the victim of a spear phishing attack – an email that appears to be from someone you know, but is actually after passwords or other sensitive information – which provided SEA with the access they needed to take down The New York Times and Twitter.
While the attack intermittently interrupted Twitter's services for about two hours, The New York Times' website remained offline. Twitter's advantage was that it saw the value in investing in an extra layer of defense, while The New York Times did not, Abernethy said.
"Small businesses in particular need to understand what the risks are, what security providers’ capabilities are, and exactly what they have contracted in terms of services. You don't want to be The New York Times, wishing you had paid for that extra level of security," he said.
Investing in additional security is equally important as educating or re-training employees.
Craig Kensek, director at AhnLab, a security solutions provider, said that protecting yourself from cyberattacks doesn’t just mean implementing technological solutions. Instead, it requires a multifaceted approach.
"The most effective protection from hacks include educating your user base to not click on risky links, understanding how advanced malware manifests, and having a solid defensive plan to your exposed cyber footprint," he said.
While Kensek advised businesses to invest in malware protection and Generation III products, which include the ability to protect Web, email and file-share traffic, employee training is at the heart of mitigating phishing-based attacks.
"Consider Web surfing training and make sure employees know what to look for on website downloads, suspected bad links and social networking. Have a defined use policy for the Web, applications, file shares and email communication," Kensek said.
Talk to your provider and spread your resources
"The New York Times hack shows how difficult it is to protect your website and, in this case, the traffic to and from your website, from attacks," said Cedric Leighton, founder and president of Cedric Leighton Associates, a Washington, D.C.-based strategic risk management consultancy.
"In order to protect yourself, you have to do as much as you can to ensure that the company you registered your domain name with is protecting that domain name," Leighton said. The problem is that most don't have adequate protection, he said.
"Key is to have something like OpenDNS, which registers websites used by hackers like the SEA," Leighton said. "When attempts come from such websites to re-direct legitimate internet traffic to 'bad' or unauthorized sites, the request to do so is automatically blocked. Unfortunately, most people don't know that they need to look into this to protect themselves from such hacks."
This means that businesses need to be more well-informed about their security options, as well as have mitigation and disaster recovery plans not if, but when, an attack happens.
"In all honesty, I’m not sure you can actually protect yourself 100 percent from something like The New York Times attack," said Pierluigi Stella, chief technology officer of Network Box USA, a Houston-based computer security provider. "I don’t know the extent of the resources The New York Times has, but I’m fairly certain they’re larger than those of normal small businesses. The main issue here is that regardless of business size, fending off a DDoS attack requires planning."
The first step is to have an in-depth conversation with your provider. Talk to them not only about whether or not you are protected, but how you are protected if an attack occurs. "First off, you need to ask your ISP, 'What will you do if I am attacked?'" Stella said. "Don't hope for them to say, 'We'll protect you.' That's not going to happen. The ISP will most likely reply, 'We'll take you offline.'"
Next, determine exactly which areas of your website need to be protected, such as the website itself and your DNS servers.
To protect against an attack that takes down your DNS servers, Stella said your modus operandi should be to divide and conquer. "Have multiple DNS hosted in different locations. If you’re really wanting to host your own DNS servers, host a backup somewhere else, maybe with a registrar or maybe with some other large web-hosting company with sufficient resources to not be too worried about DDoS attacks. Hosting DNS is not an expensive endeavor, and if you spread your presence, it’s far more difficult to take you down completely," Stella said.
To keep your website online, Stella said the only way to truly protect yourself is by having a copy, preferably on the cloud. As part of your recovery plan, should attackers lock your main website, you will be able to reconfigure your DNS to point to the secondary website for the time being, he said.