It is a PR disaster. A group of ‘hacktivists’ have somehow managed to attack your company website and changed your content (which is actively being displayed to the entire world). Your phone won’t stop ringing, and your mailbox just melted down. So many questions running through your mind: ‘What just happened?’, ‘Who did this?’, ‘How did they do this?’, and most importantly ‘How can I prevent this from happening again???’. It certainly doesn’t help that this has the highest level of visibility within your organization. It’s going to be a very long day.
Sadly this scenario is now playing itself out more than ever. This is especially true with a loosely managed group of hactivists that call themselves ‘Anonymous’. The list of companies affected by Anonymous is large enough to raise national media attention—which is not exactly where your company wants to have its name mentioned.
Despite significant improvements to website server security, major companies continue to be the victimized by this type of vandalism. The motivation behind such attacks range from citizen protestors (“hacktivists”), to good old fashion revenge. Regardless of the motivation, you now have a very embarrassing problem on your hand.
Despite best practices of ‘locking down’ your website data files to prevent changes to them, it does no good if someone is able to gain root level access to the server; the attacker can simply open up the privileges for the data files with a single command. You need to be able to lock down these files at a lower level than standard operating system controls provides.
As readers of our blog know, CoreTrace Bouncer is an application whitelisting product. The main benefit of this technology is that only programs that are explicitly defined on the whitelist are allowed to execute. Any programs not on the whitelist are considered to be ‘unauthorized’ so Bouncer prevents these unauthorized programs from executing. Bouncer takes the firewall paradigm of ‘default deny’ for network ports and applies it to program execution within the operating system.
Not only does Bouncer enforce the whitelist but Bouncer must also protect the integrity of the whitelisted applications as well. How effective would a whitelisting product be if someone could simply delete an authorized application such as notepad.exe, and replace it with a tainted program that has been renamed to notepad.exe? Bouncer blocks (from the kernel) all modifications to program files that are on the whitelist by default. Bouncer Administrators are able to define vectors of authorized change which enables transparent changes to these files so that upgrades and patches can easily be applied without difficulty.
CoreTrace has extended this kernel level ‘file integrity protection’ capability to any file which you wish to protect. While the html files will never execute, you can rest much more easily knowing that any file you wish to add to the list has this low level extra measure of protection available. This can also be applied to any file that you wish such as c:\boot.ini or the hosts file.
By the way, here are some examples that clearly show what you don’t want to deal with: