Here we identify 4 practical steps SMEs can plan for and implement when they become a victim of a website hack. With the massive growth in cyber-crime, it’s a sad fact that it’s highly likely to become a question of ‘when’ rather than ‘if’.

Below is an action plan designed to contain and limit the scope of a website hack. Some SMEs will have the expertise required to follow all of these steps in-house, others will not, in which case they can carry out just step one as soon as possible – to limit damage – before bringing in a security professional.

1. Isolate Affected Machines

The essential first step to be taken on discovering an attack is to identify the machines that are affected and isolate them. This means cutting off network connectivity to drop any outbound connections the machine is making to an attacker, and also prevent any malware spreading to other machines. In cases where disconnecting a machine from a network entirely is not possible because of drastic interruption of service, think about limiting that machine’s network interaction. For example, by using a firewall to limit network traffic to only the very bare essentials.

2. Assess & Limit Damage

Identify the IP addresses used during the attack. An IP address alone is not enough to attribute an attack to a particular point of origin, however, identifying IP addresses will help you notice attack patterns inside of web server logs and other system logs. Also check web server access and error logs, database server logs, firewall logs, operating system logs and the logs of other network services.

Attackers would have likely leveraged a vulnerability in your website to gain control of your web server, and possibly used that to escalate an attack. It is likely still there and very much exploitable by others. While it may seem too late, run both a web security scan as well as a network security scan on your web server to test for vulnerabilities.

Furthermore, the attacker might have managed to gain access to credentials of a user on the system (often through guessing commonly used weak passwords, spear-phishing attacks or other social engineering techniques). Identify the accounts that have been compromised; this will give you an indication of which resources the hacker could access. Change the credentials for these accounts and keep a close eye on suspicious account activity– remember it could be an insider after all!

In addition to testing your website for vulnerabilities, check for malware. Research the malware identified and check how it works. Most malware is designed to infect other systems.

The hacker might have installed a RAT [Remote Administration Tool] to gives them full control of the system. Once again, identify the capabilities of the RAT, so you can ensure that they could not gain access to other machines. Finally, the compromised machines should ideally be formatted – ensure that you do not carry over any malware code when performing backups.

3. Prepare to be the bearer of bad news

If getting hacked is seen as irresponsible, withholding such information from end-users, customers or even from management is worse. You should always own up to a security breach, regardless of who is at fault, after you have gleaned appropriate information – if your users’ email addresses and passwords (or even worse, credit card data, health records or Personally Identifiable Information) got stolen from your website, there is a likely chance they will end up for sale on the Internet.

Notifying the parties concerned, will give them the opportunity to change their passwords, or cancel their credit cards, and simply be aware of the fact their data is out there for the taking.

4. Protect yourself against future attacks

Ensure that your employees are familiar with general IT security requirements. Run regular scans on your perimeter servers to ensure that your systems are not vulnerable. Use these results to fix any flaws as quickly as possible, fixing the most high-severity vulnerabilities first and working down the list to the least severe vulnerabilities. Ensure your operating systems and any software are kept up to date.

So there are preventative steps and practical actions for SMEs to tackle the scourge of cyber- criminals. The advice is to not panic, but follow the steps to limit your exposure.

Ian Muscat

Ian Muscat used to be a technical resource and speaker for Acunetix. More recently, his work centers around cloud security and phishing simulation.