Your web application is the face of your business. It is the client-server software exposed to the world. For instance, when you want to book an airline ticket you visit the airline’s website to make the reservation. This public exposure and interaction is highly convenient to current and potential customers. However, it also makes your site susceptible to attacks.
In many cases, it’s easy to identify when a web application is compromised. In many cases—but not always. In fact, the M-Trends 2016 report from FireEye shows that it takes an average of 99 days to detect a security breach. Surprisingly, most reported intrusions are not detected by internal security processes. Rather, they’re disclosed by news reports, customer complaints, law enforcement, and other external sources.
It’s important to recognize that every attack is different. And attack consequences also vary. Here are six ways to determine if your web application has been compromised.
One of the most common and notorious types of attack is website defacement. It refers to the unauthorized modification to the appearance of the web application. In some cases, the web content is altered. In others, the web application is redirected to (or replaced by) a completely different website.
Changes in web application performance can also be a sign that it has been breached. If the application is displaying unexpected or unintended behavior, that should set off suspicions. Abnormal behavior may include:
Monitoring log messages can reveal malicious activity taking place within the application. Some suspicious signs include:
Monitoring user accounts and processes can also help detect a breach. For example, it can help you detect when:
Changes to web application files should be investigated. Files containing time stamps may help identify whether a file has been recently modified or deleted. This can also reveal any unauthorized modifications. Hackers can modify files to run malicious code. Additionally, new files can be created—if unaccounted for, these can be a sign of a compromise.
Changes to search results can also flag a problem. Google warns users if it scans a website and discovers any problems. It often removes any identified hacked sites from search results. However, in some cases, breached sites may still be listed. These may be flagged with a message reading “This site may be hacked” or “This site may harm your computer.”
The sad truth is that a great deal of web application owners aren’t aware that their applications have been hacked. That’s why it’s critically important to recognize the signs. If you suspect that your application has in fact been hacked, here’s how to act to prevent further damage:
While it isn’t a pleasant experience to get hacked, it still happens. Knowing how to identify a hack is the first step to helping you minimize the damage and maintain business continuity.
Viplove Karkade is a security consultant at Synopsys. He specializes in cryptography.