5 Safeguards From 'Watering Hole' Attacks, Chinese Hackers

Is your small business website a potential target for state-sponsored hackers?

As President Obama meets with Chinese president Xi Jinping this week to discuss the growing cyberespionage problem affecting many Fortune 500s, one business group has been largely overlooked in the discussion about US cybersecurity - SMBs.

While cyber attacks against Google, Lockheed Martin, Bank of America and other major US companies rule the news headlines, smaller businesses with less than 250 employees are increasingly in the cross-hairs of sophisticated hacker groups from around the world, including China, according to recent reports. In fact, Symantec found that almost one-third of all cyber attacks now target small businesses - a 72% increase in the last year.

In the past, SMBs have often dismissed cybersecurity threats as something that only happens to big companies. After all, why would a state-sponsored hacker or Eastern European organized crime group care about a small business that isn’t holding state secrets or a multi-million dollar bank account? But security researchers have found that hackers are increasingly targeting SMBs because they have something else of value - unique visitors to their websites.

It’s a tactic known as the “watering hole” attack. Small business websites are often visited by large corporate clients or the vendors of a larger company. The website is trusted by these organizations and not considered a risk, so they let their guards down. Since many SMBs don’t have sophisticated security programs in place, their websites are easy to break into - and hackers can use them as a “spring board” to attack a larger company. After all, hacking into a Fortune 500 company isn’t easy  - but if a hacker can get them to voluntarily visit an infected website, they simply bypass all of these corporate cybersecurity protections.

Here’s how a watering hole works: A state-sponsored hacker group wants to target a company like Lockheed Martin. They find it difficult to break into Lockheed directly, so instead they go down the supply chain to find a weak link. Maybe it’s an SMB that does business directly with Lockheed - or maybe it’s the vendor of a vendor of a vendor, and the hacker can use each smaller company as a stepping stone to make its way up the chain.

Supply chains are so intertwined these days, many SMBs may not even realize all the supply chains they’re in. Since small businesses often make basic mistakes with website and network security - due to smaller budgets, inexperience and lack of awareness about the risks - it becomes the perfect place to launch an attack. The hacker breaks into the SMB’s website, installs malware and then waits. The next time the site is visited, the malware secretly attacks that person’s computer and infects their organization. This is what happened to Apple, Facebook and Twitter - these companies were hacked after their software engineers visited a popular mobile developer forum that had been turned into a watering hole by hackers.

The same method can also be used by organized crime groups to target consumers and steal their credit card numbers or online banking credentials.

A watering hole attack can be extremely damaging to a small business. It can ruin a company’s reputation - causing it to lose current and future business. Even if it’s able to keep its clients, the SMB will still suffer disruption to its business operations, downtime and possible blacklisting by the search engines (a death sentence for SEO). It could also potentially be hit with fines and lawsuits.

Since many small businesses don’t have security monitoring on their websites, it could take a long time before they even realize they’ve been corrupted - meanwhile, they’re an unwitting accomplice in the infection of countless customers and visitors.

Is your website a potential watering hole for hackers? Here are five things you need to do:

No. 1: Before Going Live, Ask This Question

If you’re in the process of launching a new website, make sure the web developer, or website template you’re using, is checking the design against the OWASP Top 10 list of most common web security flaws. You can start by asking this person to explain how your web applications are not vulnerable to the OWASP Top 10. If they don’t have a solid answer, you need to find another developer.

No. 2: Get Your Website Checked

You can sign up for a service that will scan your website daily for basic vulnerabilities and malware. Some of the more popular services are the Nessus Vulnerability Scanner, Symantec Safe Site and McAfee SECURE for Websites. Just keep in mind that these scans don’t cover everything - they’re only one step in making your website secure.

No. 3: Have Security Monitoring in Place

Make sure you’re using a “security information and event management” (SIEM) tool. These will monitor your website for active attacks. Here are a few examples of SIEMs: Splunk, AlienVault and HP Arcsight.

No. 4: Hire a Hacker

“White hat” or “ethical hacking” is a popular profession these days and there are plenty of firms out there. This isn’t cheap, but if you have the ability, consider hiring an ethical hacker to take a look at your website and network to see if a hacker would be able to break in. Be sure to check the qualifications of the company first, however: how long they’ve been in business and client references. Those references are more important than fancy certifications, which don't necessarily tell you much about the person's technical ability or professionalism.

No. 5: Check for Blacklisting

It’s also a good idea to check the popular blacklist directories to see if your website has been flagged. This is another way to see if your website is being used by hackers, but more importantly it will help you determine if the search engines are flagging your site as malicious. You can check your site on BlackList.orgMXToolBox.com or WhatIsMyIPAddress.com. If your website is flagged, you need to figure out why - then contact the database that is blacklisting your site and ask them to take it off the list.

Rohit Sethi is vice president of Security Compass and specializes in web and mobile application security for major companies, banks and technology services. Sethi has spoken and taught at leading cybersecurity conferences, including RSA and OWASP, and has spoken on television about information security.