The Reaction Time to Web Site Defacements

posted Jan 17, 2012, 2:31 AM by Eric Medvet   [ updated May 26, 2016, 3:25 AM ]
Web site defacement has become a common threat for organizations exposed on the web. There exist several statistics that indicate the number of incidents of this sort but there is a crucial piece of information still lacking: the typical duration of a defacement. Clearly, a defacement lasting one week is much more harmful than one of few minutes. In this paper we present the results of a two months monitoring activity that we performed over more than 62000 defacements in order to figure out whether and when a reaction to the defacement is taken. We show that such time tends to be unacceptably long---in the order of several days---and with a long-tailed distribution. We believe our findings may improve the understanding of this phenomenon and highlight issues deserving attention by the research community.Web site defacement is one of the most common attacks in the Internet. The only existing approach to automatic detection of such attacks is based on a comparison between the web resource and an uncorrupted copy kept in a safe place. Implementing such a framework may be expensive and difficult, especially for dynamic resources. In this paper we explore a different approach and propose a tool capable of monitoring the integrity of remote web resources automatically, while remaining fully decoupled from them. We evaluated our tool on a selection of highly dynamic resources and the results are very encouraging: the tool is indeed able to detect (simulated) defacements and cope with dynamic content while keeping false positives to a minimum. This framework may allow developing services capable of monitoring many foreign web sites cheaply, which may be very attractive for small budget-limited organizations that depend on the web for their operation.
Eric Medvet,
Jan 17, 2012, 5:16 AM