If you host your own website, be aware of “watering hole” attacks that can be used against those who visit your site. In the animal world a lion lies in wait for prey near a water source. In the cyberworld, online criminals infect a trusted website to lure new victims instead of going after the victims directly.
Some of the more notable examples of watering hole attacks include:
>> Beginning as early as 2009, Operation Aurora was known to leverage watering hole attacks in addition to phishing attack vectors to compromise major organizations such as Adobe, Google and RSA.
>> In early 2013 a mobile developer forum was used to infect several developers at Apple, Facebook, Microsoft and Twitter with a Mac OS Trojan.
>> In July a large aerospace firm’s website was manipulated to attack a recently fixed Adobe Flash vulnerability.
Many small-business owners hire a firm to design their website and then host it through a low-cost Web-hosting provider (for example, GoDaddy.com). Small-business owners are often unaware that the software running their website needs maintenance and updates and that this responsibility falls on them, not on the website designer or hosting provider. Cybercriminals exploit this knowledge gap and install malware on these un-maintained websites, which can evade detection by launching only when the website is:
>> Accessed by a particular browser or operating system.
>> Clicked through from a Web search engine.
>> Not bookmarked.
>> Visited by a unique IP address.
What can small-business owners do to protect their websites? First, know and update the software that runs your site. Many small-business websites are run on content management system software, such as WordPress, DotNetNuke and Drupal. Some of these companies also offer professional Web-hosting services, which I recommend checking out.
Second, limit the use of third-party plug-ins, which are a popular way to introduce new functionality to your website. Unfortunately, they are also a way to introduce new vulnerabilities.
The bottom line here: If you own a website, it’s important to understand the full scope of your responsibilities and take precautions to address them.
Vincent Hoang is an enterprise architect at Hawaiian Telcom, a certified information systems security professional (CISSP), GIAC systems and network auditor (GSNA) and Cisco certified network professional (CCNP). Reach him at email@example.com.