Recently, several of our websites came under attack. It started out slow but then turned into a full-fledged assault. In this article, I will go over one way that a cyber attack on a website actually looks like. What signs you may see, if you are watching. This article won’t be over technical, there are plenty of articles online for the really geeky tech stuff. I want this article to simplify a fairly complex topic so that you can understand how hackers work. Then you can take this information and use it in your own practice to protect yourself.
One note, while this article focuses on a cyber attack on a website, it will also help you to understand how attacks on your network wor as well.
It started two weeks ago. I received an email about a user being locked out of one of our websites. The problem was that it was my user account: the one that is used to administer the website. That got my attention. The alert email looked like this:
Site Lockout Notification
Host/User Lockout in Effect Until Reason
User: adminuserforsite 2019-07-03 19:48:05 too many bad login attempts
This meant that the user account, adminuserforsite, had tried to log into the site with the wrong password too many times and the server had locked the account out. I checked the server logs and it showed the attack had come from Ukraine.
I went through the logs some more and saw nothing else that concerned me. However, about 10 minutes later, the floodgates opened. Attacks started coming at about one every 10 seconds from all over the world. All told, it was over 50,000 attempts on this single website over a 4 day period.
We made sure the security was locked down and then also checked all of our other sites, as well as the sites we host for customers. We made some changes to our overall security posture and called it a day.
A few days later, one of our customer’s sites came under attack. However, due to some of the changes we had made, they weren’t even able to find a valid user name to try and crack. They simply targeted the account ‘admin’. This attack was by a less skilled attacker who was just running a basic attack tool on the website. This was the only account the user attempted to break but they tried for 5 days straight and used IP addresses from all over the world.
How do cyber attacks work?
First, let’s dispell the myth that you have nothing an attacker wants or that you aren’t important enough for someone to attack. Both of these are completely false. Under normal circumstances, hackers aren’t looking for you specifically. They are looking for low hanging fruit that they can use for their own purposes.
Think of it like a burglar going through a subdivision. He tries the front door on every house. The ones that are locked, he moves on from. If he finds a door that is unlocked, he goes in. He didn’t target that house because of the people who lived there, he targeted because he could get in.
Hackers work the same way. They will use software tools that scan computers all over the world. If they find one that has a way in, a vulnerability, then they will turn their focus to that one.
In the case of the websites above, the attacker was trying to see if the user accounts that we used had weak passwords. They sent thousands of password attempts to see if they could find the right one.
The same thing can happen on your network. This is often how ransomware get’s started. A site will have remote desktop access setup directly online. The attacker will use a tool that tries to guess the user name and password of the remote desktop user until they succeed. This will be very obvious in the log files of the computer they are attempting to access. You will see many failed login attempts. But Windows doesn’t alert you to these events. Someone has to actually be watching these logs for signs of an attack.
How can you protect from a cyber attack on a website?
The most important thing to do is to use very strong passwords for your website access. This is also true for your Windows user accounts. You can read more about what makes a password strong here.
After you have set a strong, uncrackable password, enable Two Factor Authentication (2FA), if that is an option. 2FA uses a second unique password that is generated by software on your mobile phone. If the hacker doesn’t have access to your mobile phone, then they will be unable to break into your website using password cracking.
Keep your website software updated. New vulnerabilities are found every day in software and vendors release patches and updates to fix them. Keeping your software updated protects against these new vulnerabilities. This is also VERY true for Windows software. This is also a HIPAA requirement to protect against breaches. Keeping Windows up to date with patches plugs the holes that attackers use to gain access to your network.
The final step to protecting your practice’s website (and your network) from attackers it to monitor your logs. Log files tell a story of what is happening on your website or computers. If someone is trying to break in, there will be events recorded in your log files.
One way to think of it is like the alarm system you have for your office. If someone tries to break-in, the alarm will go off. The alarm system will alert the monitoring company who, in turn, calls the police. But what if your alarm system didn’t have a monitoring company? No one calls the police and then no one shows up to the break-in. It goes unreported and you’re left with a burglarized office.
Your log files are the same way. If no one is monitoring them for signs of attack, you won’t see the attack until after its over. Many people think that a cyber attack will be very easy to see. They are expecting sirens and alarms going off as you see in movies. It never happens like that. Most successful attacks aren’t detected until months, or years, later. By that time it is detected, the attacker has already stolen your data and completely compromised your network.
Cybersecurity has increased to the point where if you do not address it, not only are you being irresponsible, you may be criminally liable. Gone are the days when practices and businesses could overlook their security. Now the price for failure is just too high, to both you and your patients.