Traditionally, endpoint security has focused on the users, whether they are using a PC, a tablet, or a mobile phone. Now, however, cybercriminals are recognizing the SMB web server as a useful target.
“Web servers are under attack,” Stephen Cobb, security evangelist at ESET, told us. “As a small business, you need to have a plan to deal with problems coming from the server that is hosting your website.”
There are two common scenarios. First, the website may be subject to a distributed denial of service attack. Often, the company will be unaware of the problem until a customer says the site is down, or the hosting provider notifies the company that the server is being shut down to eliminate the attack. “Your website is being challenged every two seconds by brute force SSH attacks trying to break into cPanel, WordPress, Joomla, or Plesk,” Cobb said. “These are all things you find on virtual servers.”
Second, attackers may take over the server and use the website to distribute malware. “You may be Bob’s Flowers, and customers come to your site wanting to do business, but anyone who comes is then sent to a Black Hole exploit.”
Immune to server takeover
Too often, small organisations think themselves immune to web server takeover, because they have little in terms of proprietary data or customer information stored on the server. However, the reality is that the web server has become a lucrative asset for cybercriminals. “Now users are accessing the Internet from small mobile devices that are turned on and off, which is not a good platform for exploits. The hackers have realized that SMB web servers are always on, offer good bandwidth, and are lightly managed.”
The changing business models used by cybercriminals are magnifying the problem, he said. “I’ve been talking about the industrialisation of malware for the past 18 months, and that is the engine behind this.” As crimeware evolves as a free enterprise, cybercriminals can respond quicker to exploit new vulnerabilities. Furthermore, a broader array of players are building botnets and working to compromise machines.
Though there’s little that the average organisation can do to foil a targeted attack, there are best-practices that will make one web server a less attractive target than another. First, SMBs should protect their servers with strong and unique passwords that implement best-practices, including using a combination of letters, numbers, and other characters; choosing credentials that are not easily guessed; and changing the password regularly.
Further, SMBs should be using the monitoring tools offered by the hosting provider to spot potential attacks, Cobb said.
You can also go steps further if you have someone that you can tap into that is well versed in Linux. There are simple tools that can be activated on the Web server to alert you to talks. There are also some fairly basic but effective ways of limiting the number of times someone can use SSH to get into the box.
As malware makers start targeting web servers, SMBs need to turn their focus to these machines to ensure that they are well protected and monitored.
Free Download: The Video Surveillance Report 2023
Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!
Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.
I found an interesting video on youtube from Hak5 where in one of the interviews they speak to the creator of a search engine called Shodan http://www.shodanhq.com/ that can be used to search the web for different instances such as Web Server version that has a known exploit. The search engine was developed as a security awareness tool. So if you dont think they will find your outdated apache web server think again there is a search engine for that…
That’s scary stuff… but not surprising, Jonathan. It seems like the cybercriminals are pretty quick on their feet adn they are working hard to stay ahead of the curve. I didn’t know about this…thanks for pointing it out.
No it really is scary, I watched a demo of the search engine and they found all kinds of outdated software and internet facing machines that have known exploits available. There really is no end to the vulnerabilities that can be found. The creator said the scariest thing he found was a custom interface that had a lot of numbers and settings and he said after some research he discovered it was displaying real time output from a power plant. Now thats some scary stuff.
Oh and I should add in the same interview he said he was able to find a city’s traffic cameras and able to view their live streaming feeds. Their system was on the internet and apparently either kept with the default passwords or just unprotected all together.
It’s like Die Hard 4.0 all over again…
It can be interesting to watch http://hak5.org/episodes/hak5-1211 they start to talk to the guy around 8:45.
Thanks, Jonathan… fascinating stuff.
This guy’s amazing. And he can see the pictures from the red light cameras? Amazing.
Yeah Rob, but if you think about it this just highlights that some people take security for granted or assume that no one would go looking for something like that. So far as this stuff goes one should never just assume that they are safe just because what they are dealing with is not considered common place.