Website Attacks – Prepare, Automate, Alert, and Report
It’s common these days for your website to be attacked – usually you won’t even be aware of it, and if it’s a static site, it’s rarely an issue. But let’s face it, these days most sites have dynamic content. Think about all the dynamic content platforms such as WordPress, Drupal, Wix, Ghost, Joomla, and also the countless frameworks for rapid development such as Angular, CakePHP, Laravel, Django, Bootstrap, etc. and unless you are prepared beforehand, an attack can be very damaging not just to your website, but your company’s image, emailing ability, and possibly much more.
First and foremost, Security protocols should be in place. Limit the attack vectors and you limit the ability for any attack to be successful. There are standard things that should be done, and then additional steps that should be taken depending on the type of site or platform.
Second, Automation. The processes should be automated as much as possible so you don’t have to deal with them on a regular basis. IP banning, user lockouts, etc should all be automatic and set very strict for any admin accounts.
Third, Alerting. When you are attacked, you should have a process in place to identify if the attack was successful, and if so, what to do about it. There should be a system constantly watching for issues and when they are identified alerting you to them.
Finally, Reporting. When you are attacked, it’s typically going to be from a compromised server. So by reporting the attack, you alert the admin of the server to the compromised machine. Also by reporting, you let the service provider know their customer either has a compromised machine or in rare cases is the attacker and they can then disable the customer’s services. But how to know who to report the abuse to? From the alert, you will have the IP address, and can use Who Is My ISP to identify the IP, then simply google the ISP’s name and the words “report abuse”, or if you know the ISP’s domain name (like ohv.com), use Abuse.net to lookup their abuse reporting email address. You should then provide the following: Source IP, Destination IP, Date and Time, Timezone, and logs which show the event.