Why securing your non-critical websites is still essential

Every now and again, we get asked, 'Why should I secure my website? It is not critical, and we are not hosting it on our network.” The below article is meant to answer this question.

Attacks on a business website may cause a claim (subject to policy wording). Even if the website is purely for reputational purposes, it may still be used by attackers to gain access to actual funds of the business, cause 3rd party liability claims, and gain access to critical information and business data as a platform for a larger attack. 

For one example, here’s an explanation of how just changing phone numbers and business addresses on a website can potentially lead to financial fraud: In a scenario where an attacker gains unauthorized access to a legitimate business website, either through exploiting vulnerabilities, using open ports, or stealing credentials. Once inside, the attacker changes the phone number and business address on the website to their own contact information so when a customer calls or emails the company, they would actually be speaking with the criminals. 

1. Redirecting Sensitive Communications: By changing the phone number listed on the website to their own, the attacker can intercept incoming calls from customers, suppliers, or partners trying to contact the legitimate business. The attacker may pose as a representative of the business, potentially deceiving callers into providing sensitive information, such as payment details or login credentials, under the guise of customer service or support. 

2. Fraudulent Transactions: With control over the website’s contact information, the attacker can manipulate incoming inquiries or sales leads to redirect them to their own channels. For example, they may alter the email address or contact form settings to route inquiries to email accounts they control. By intercepting these communications, the attacker can engage in various forms of financial fraud, such as soliciting payments for non-existent products or services, collecting sensitive customer information for identity theft, or redirecting legitimate transactions to their own accounts. 

3. Impersonation and Social Engineering: By changing the business address on the website, the attacker can create a false sense of legitimacy and authority. They may use the altered address to impersonate a legitimate business in communications with customers, suppliers, or financial institutions. This can be particularly effective in social engineering attacks where the attacker convinces individuals to disclose sensitive information or make payments based on false premises or urgent requests. 

4. Reputation Damage and Loss of Trust: In addition to financial losses, unauthorized changes to a business website’s contact information can damage the organization’s reputation and erode trust among customers, suppliers, and partners. Customers who fall victim to fraud or deception may share their negative experiences online, tarnishing the business’s reputation and potentially leading to lost business opportunities and legal repercussions. Just a small change such as unauthorized changes to a website’s phone number and business address can provide attackers with a means to intercept communications, manipulate transactions, and engage in fraudulent activities that can result in financial losses and reputational damage for the legitimate business. To mitigate this risk, organizations should implement robust security measures to protect their websites from unauthorized access, regularly monitor for suspicious changes or activity, and educate employees about the importance of safeguarding website credentials and contact information. Additionally, customers and stakeholders should be encouraged to verify the legitimacy of contact information through alternate channels before engaging in transactions or providing sensitive information.

Even if a website is hosted on a separate server and is seemingly isolated from the organization’s internal network, it can still serve as a potential point of entry for attackers to launch attacks against the rest of the organization and cause an insurance claim. Here’s how: 

1.     Social Engineering: Compromised websites can be used to host phishing pages or distribute malicious content, which can be used to trick employees or visitors into disclosing sensitive information or downloading malware. Once inside the organization’s network, attackers can escalate privileges, steal data, or carry out further attacks. 

2.     Exploitation of Trust: Visitors to the website, including employees, customers, or partners, may trust the site and lower their guard, making them more susceptible to social engineering tactics or malware attacks. Attackers can exploit this trust to gain access to their devices, credentials, or sensitive information. 

To mitigate the risk of a website being used as a point of entry for attacks against the organization’s internal network, it’s essential to implement strong security measures both in the website’s hosting environment and within the organization’s network. This includes regular security assessments and audits, implementing robust access controls and network segmentation, educating employees and users about security best practices, and monitoring for suspicious activity or signs of compromise. Additionally, organizations should have incident response plans in place to quickly detect, contain, and respond to any security incidents that may arise.

How are open ports on your non-critical website impact a potential breach and a claim:

Cybercriminals often exploit open ports as entry points to launch attacks on organizations. Open ports are network communication endpoints that are accessible over the internet or a local network. Here are some common ways cybercriminals use open ports to target organizations: 

 1. Port Scanning: Cybercriminals use automated tools to scan for open ports on target systems. Once they identify open ports, they can gather information about the services running on those ports and the vulnerabilities associated with them. 

 2. Service Exploitation: If a service running on an open port has known vulnerabilities, cybercriminals can exploit these vulnerabilities to gain unauthorized access to the system. For example, they may exploit a vulnerable version of a web server or remote access service to compromise the system. 

 3. Brute Force Attacks: Cybercriminals may attempt to gain access to systems by launching brute force attacks against services running on open ports. This involves systematically trying different combinations of usernames and passwords until the correct credentials are found. 

 4. Denial-of-Service (DoS) Attacks: Some cybercriminals target open ports with DoS attacks, flooding them with a high volume of traffic or malicious requests to overwhelm the system and disrupt its normal operation. 

5. Malware & Botnet Recruitment: Cybercriminals may exploit open ports to install malware on vulnerable systems and recruit them into botnets. Once compromised, these systems can be used to launch further attacks or carry out malicious activities, such as sending spam emails or participating in DDoS attacks. 

 6. Exfiltration of PII Data: If cybercriminals gain unauthorized access to a system through an open port, they may use it as a foothold to exfiltrate sensitive data from the organization’s network. This can include customer information, intellectual property, or other valuable data. 

One famous breach attributed to open ports is the Equifax data breach, which occurred in 2017. Equifax, one of the largest credit reporting agencies in the United States, suffered a massive data breach that exposed the personal information of approximately 147 million people.

The breach was attributed to a vulnerability in the Apache Struts web application framework, which Equifax failed to patch promptly. Attackers exploited this vulnerability to gain unauthorized access to Equifax’s systems and extract sensitive data. One of the contributing factors to the breach was the presence of open ports that were accessible from the internet, allowing attackers to exploit the vulnerability remotely.

The Equifax breach highlighted the importance of promptly patching software vulnerabilities and securing open ports to prevent unauthorized access to sensitive systems and data. It also underscored the significant consequences that can result from lax cybersecurity practices.

To mitigate the risk of attacks through open ports, organizations should regularly scan their networks for open ports and services, apply security patches and updates to mitigate known vulnerabilities, implement strong access controls, use firewalls and intrusion detection/prevention systems to monitor and filter network traffic, and employ encryption to protect data transmitted over open ports. Additionally, organizations should follow best practices for configuring and securing network services to reduce the attack surface and minimize the risk of exploitation.

In addition, if a website hosted on a separate server is compromised due to an open port or other issue such as missing security headers, missing mitigation actions, lack of SSL certificate, vulnerable technology and more , attackers could leverage it for social engineering attacks against individuals visiting the site, customers, and even your employees!

Here’s how: 

1. Phishing: Attackers could modify the compromised website to host phishing pages that mimic legitimate login portals or forms. When unsuspecting users visit the site, they may be tricked into entering sensitive information such as login credentials, payment details, or personal information. 

 2. Malicious Redirects: The compromised website could be set up to automatically redirect visitors to other malicious sites designed to deliver malware, collect information, or further exploit vulnerabilities on the visitors’ systems. 

 3. Drive-by Downloads: Attackers may inject malicious code into the compromised website that triggers automatic downloads or installations of malware onto visitors’ devices without their knowledge or consent. 

4. Fake Alerts or Notifications: Attackers could display fake alerts or notifications on the compromised website, tricking visitors into believing their system is infected with malware or their accounts have been compromised. These alerts may prompt users to download and install fake security software or provide sensitive information to “resolve” the issue, leading to further exploitation. By exploiting the trust users place in the compromised website, attackers can manipulate visitors into taking actions that compromise their security and privacy. 

This underscores the importance of not only securing the web server hosting the website but also regularly monitoring and auditing the website’s content and functionality to detect and mitigate any unauthorized changes or malicious activities. Additionally, user education and awareness about the risks of interacting with potentially compromised websites are essential in mitigating the impact social engineering attacks. 

Most only most cyber insurance policies cover the organization’s website, but lack of website security may actually cause a third-party-related claim and a successful attack on your actual network. In addition, it is not likely to assume that an organization that is successfully securing its internal network will not ensure its external network. Even by just having a Contact Us form on your website, the risk of PII theft exists and might result in a claim.  

If your vendor says they cannot close your website ports (excluding 80 and 443, of course) or cannot fix existing vulnerabilities, it might be time to consider a secured hosting provider to help you better protect your company. 

The content provided herein, along with any other content associated with it, is intended for educational purposes only. We do not make any recommendations or representations regarding the accuracy, completeness, or suitability of the information presented. Readers are encouraged to independently verify and validate any information provided and should exercise their own judgment when applying it.

Furthermore, it is important to note that this content does not constitute professional advice or guidance. For specific recommendations and guidance regarding cybersecurity practices and standards, readers are strongly encouraged to consult the National Institute of Standards and Technology (NIST) framework or other authoritative sources. The NIST framework provides comprehensive guidelines and best practices for enhancing cybersecurity posture and resilience.