Cybersecurity Spotlight – Website Defacements

What it is

Website defacements are the unauthorized modification of web pages, including the addition, removal, or alteration of existing content. These attacks are commonly carried out by hacktivists, who compromise a website or web server and replace or alter the hosted website information with their own messages. Website defacements are primarily orchestrated by unskilled actors using automated applications to test vulnerabilities of websites, such as SQL injection attacks. Websites that are unpatched or misconfigured are easily susceptible to simple probing tools used by these actors, which can lead to unauthorized access to websites. These attacks are often opportunistic; when a probing tool is successful they will initiate an attack.

Why does it matter

While in most cases they seem to be simply a nuisance, website defacements pose a potential public relations concern for election offices. Website defacements can act as a DoS attack method, preventing people from accessing the information they need if it has been removed from the site. Additionally, attackers may post graphic imagery to sites for shock value that could disturb its viewers and tarnish the reputation of the target organization. For example, in the past, public organizations' websites, including those geared towards children, have been defaced with jarring imagery such as war zone destruction. While not previously observed by the EI-ISAC, there is a possibility defacement of an election website may promote disinformation, including the alteration of time and dates for open voting events or unofficial results. These changes may be subtle and thus difficult to detect. Web defacements often reveal a larger security problem. The same vulnerability used to deface a website can be used for other attacks. When a defacement is successful it advertises that the site has weak security and attackers may try to attempt additional attacks. If election websites are targeted and defaced, they may be probed for additional vulnerabilities. This can lead to more damaging cyber attacks with significant consequences, including network compromises or data breaches.

What you can do

Election officials should proactively create plans to defend against and recover from website defacements. The risk of website defacements can be greatly reduced by maintaining up-to-date software. Election officials should consider enrolling in the EI-ISAC’s Vulnerability Management Program (VMP) to receive notifications on outdated software. EI-ISAC members can enroll by sending their public-facing domains and subdomains to soc@cisecurity.org. To further protect against website defacements consider using these methods:

  • implement principle of least privilege on web servers
  • user input validation
  • reverse proxies
  • deploying web application firewalls

Election offices should remain vigilant in detecting website defacements to help prevent future compromises. If the EI-ISAC becomes aware of website defacements, we will notify the affected government entities immediately. If you detect a website defacement consider temporarily pulling down the site to prevent any further misrepresentation and have a recovery plan created on how to alert readers about the targeted website. To help prevent loss of availability, have offline backups established that can be quickly deployed in place of a compromised website.
---
The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact elections@cisecurity.org.