You've just discovered your website has something on it you didn't put there. Perhaps your front page now declares the "l33t" skills of a script-kiddy, or Google or your hosting provider has flagged your site as being compromised. You realize your site has been hacked! What do you do?
Time to bring out your site recovery plan! Don't have one? Let’s figure out what you need. First, don't panic. This happens, and with a proper recovery strategy you can respond in a timely fashion and deal with the situation. In some instances you might be able to deal with the situation directly, but most of the time we find that a technical person, either on-staff or from an agency like Agentic, will be required.
Whether you are a larger organization with dedicated IT staff, or a smaller organization that needs to rely on outside experts, it is really worth developing and reviewing the plan at regular intervals because your site will change over time.
There are two important parts to the plan.
1) Restoring normal web site service, usually through restoring files and data from a backup; and
2) Dealing with the issues raised from the intrusion or defacement.
The main issue most times is just getting your site back to normal. While we can’t anticipate every situation because of the wide variety of website implementations and hosting arrangements, here is a high-level overview to help provide a context for what's involved.
1) Restoring Service
Restoring service from a nefarious action (or clerical error, hardware failure, etc.) is pretty much the same; identify the point in time that you know the site was in good shape, and restore the files and/or databases. Ah, you say, “backups?”
So if you take only one thing away from this article, it's this: MAKE SURE YOU ARE MAKING REGULAR BACKUPS. They are the keystone to restoring service and evaluating how damaging an intrusion is.
For most of our clients, websites usually have multiple items that need backing up. Typically, these are the files/images and the database. In some cases there may be more. If your site has a control panel backup option it may, or may not, back up everything required to restore your site.
Working with a partner like us, or your IT dept, we can identify all the things that need backing up and then make sure they're being backed up.
2) Dealing with Intrusion Issues
In the case of an intrusion, your technical staff or consultants need to determine when the intrusion started in order to restore your site to a time before the hack. If you don't have any technical staff or an ongoing relationship with a technical consultant your web host may be able to assist; in many cases, they will be the ones to notify you of the problem and may have even identified the source. Skill sets and willingness to assist vary greatly from host to host, you can't count on this as an option.
If the intrusion has been ongoing, the recovery process may be more complicated than simply restoring from backup. You may have to re-enter content, or in extreme cases, recreate your website and sanitize, or reload, your content.
Intrusion issues can broadly fall into public relations and legal categories. If a website is purely informational and was defaced, restoring the site to regular operation is the beginning. Some questions may get asked by external parties, depending on the specifics on the intrusion. How you deal with this is an extension of your company culture and public relations strategy.
If a website supports electronic commerce and sensitive customer information was stolen, there might be a lot more work to do. Actions are governed by the local laws and vary greatly from jurisdiction to jurisdiction. There may also be contractual obligations to consider. You should think about consulting a lawyer.
So, what did we cover?
- Dealing with a website intrusion is best done before it happens by having a recovery plan.
- Good backups are the cornerstone of any recovery strategy. Make sure that backups are taking place and that everything that needs backing up is being backed up.
- A recovery plan will not only work to recover from being hacked, it will also cover human error and equipment failure.
My thanks to Robert Slade for his help and advise on this post.