The Department of Basic Education’s website was recently hacked by the Islamic State, posting gory pictures and a message about the US Government.
Following this incident, Bryan Hamman, Territory Manager for sub-Saharan Africa at Arbor Networks, the world’s leading provider of DDoS (Distributed Denial of Service) protection in the enterprise, carrier and mobile market segments, has compiled a few questions and answers around this hacking incident.
1. How could hackers have gained access to the Department of Basic Education’s website?
Systems that host websites are not 100% immune to attacks or being hacked. There are many avenues a persistent hacker can take to gain access to a webserver hosting a website, including the following: exploiting a known vulnerability in the operating system (OS) or the web application (apache, IIS, etc.); weak credentials (username/passwords) on the system; a backdoor planted in the past by means of malware (intentionally or unintentionally); or another network service, for example File Transfer Protocol (FTP) or telnet, unintentionally running on the system, that is vulnerable to exploitation.
2. Can hackers use websites to access portals within the organisation that contain vital information?
This is indeed possible by means of ‘pivoting’ – a hacker can gain access to a range of other internal systems once they have managed to gain control over the public/Internet facing device. Environments that lack proper segmentation and weak internal access controls can be exploited in this way. This ‘land and expand’ approach is a very common technique used by hackers.
3. In future, how can the Department ensure that a similar incident does not occur again?
There is a range of best practice, processes, policy and technology (configured optimally) that can be harnessed to avoid these types of exploits, as well as the cascading repercussions that result from the initial exploit.
At Arbor, we’ve found that the majority of organisations lack proper visibility of their network traffic within their own infrastructure. Understanding when hackers are attempting to compromise your critical assets is the first step, and can be as an early warning to an escalation of attacks. Knowing how the attackers have moved around (lateral movements) within the networks, once they have gained access is important to understanding the scope and size of the problem. This feeds into the incident response and action plans. The ability to retrospectively analyse network traffic, network wide (throughout the network), is essential to piecing all the clues together to gain proper insight into the scope of the compromise.
4. How can organisations prevent this from happening to them before it does?
The right security technology must be the foundation of any new service. Securing one’s critical assets and infrastructure is an ongoing task that should follow a well-documented process. There should be policies in place that outline how new and existing systems are built and maintained, with security at its core. Following this, employees need to be adequately trained and empowered to react to security incidents proactively. And lastly, regular penetration testing and audits is key to the organisation security.