Maryland Government Site Hacked By ISIS

On July 25th, 2017 multiple government sites were hacked by friends of ISIS according to Bloomberg’s Mark Niquette. It turns out that Maryland’s Howard County Website server was hacked.  The site was running IIS and had some critical vulnerabilities that were exploited. Ref: https://www.howardcountymd.gov/

screen-shot-2017-06-25-at-5-49-47-pm

First Things First… Don’t Blame Your Team

Your site was hacked.  The first thing you naturally want to do is get angry.  We agree with you that you should be angry, but not at your IT staff. The actors taking your site down are making your life difficult and have every tool in the world available to them. The deck is stacked against your in-house team who have to juggle multiple issues, including the side job of training to maintain a cutting-edge cyber defensive capability on a limited budget.    The “hackers” of the world that are running scripts to break into your computer 24/7, looking for any vulnerabilities that could creep up over time.  Don’t blame your IT staff!

Move Fast

The first thing you should do is re-route your domain to a safe domain, like the fail whale. For more about the fail whale, please see this.

fail_whale

The Famous Fail Whale – What you show when your website is down

With a temporary down page on display, you aren’t promoting ISIS’s propaganda, and you are free to get your site back online. Your other option is just to kill the DNS name complete or shut the server down.  This is exactly what Howard County did.

screen-shot-2017-06-25-at-6-05-35-pm

Restore

Hopefully, you have a decent recovery system in place and can restore your site from a previous backup.  We recommend a full server rebuild (or imaged) and then reload your content. It starts with a clean server, with a trusted OS configuration, loading IIS, and then your content.

Inspect

Review your logs to see if you can see how people are accessing your site.  We recommend publishing your IIS logs to an offsite file storage location as the records are created so you can see how potential hackers are entering your site and what commands they are running.

Open Ports

Also, review your firewalls and look to see what ports you have open. There is a chance that you left a port open that could be bottled up. You should only have 443 and 80.  All HTTP traffic should be forwarded to https.

Plan

The best way you can solve this problem is by building up your infrastructure enough so you could throw it away and restart in a few minutes.  Hacking happens, so you should plan for the inevitable.  Your solution should include building out a separate database from your CMS solution, a decoupled server, backed up file content, and of course a separate copy of your code on a server.  Your downtime should be in minutes, not hours or days.

Outsource

Get this off of your plate.  Many hosting providers and service companies can handle your website extremely efficiently and at scale.  Website hosting is a commodity and should be framed out to keep your team focused on what it does best, like providing incredibly helpful information to your clients. Sites like liquidweb.com  or azure.microsoft.com can take a huge burden off your team.