"If you see one, there's 20 you're not seeing," said Hegedus, the CEO of Suffolk-based cybersecurity firm Sera-Brynn.
A recent run of website breaches in Hampton Roads has underscored how anyone can be a target. Since January, sites for Isle of Wight County, Colonial Williamsburg and a private school in Chesapeake have been infiltrated.
The first two cases included hackers claiming ties to the Islamic State group. In the most recent incident, a week ago Sunday, a screen showing a modified biohazard symbol and signed in part by the "Muslim Cyber Force" was placed on the website for Greenbrier Christian Academy.
School Superintendent Ron White told The Virginian-Pilot that he had spoken with the FBI and Virginia State Police and wasn't worried about a terrorist attack.
In Isle of Wight County, IT director Jason Gray said the government's site was fixed within about 30 minutes of his learning about the breach. He said he suspected it to be the work of a Web robot that randomly scours the Internet in search of vulnerable sites. There have been reports of hundreds of similar breaches across the country, he said.
So-called "hacktivist" attacks aren't looking to steal money or data, said John Kipp, the chief operating officer of Sera-Brynn.
"They just want to do some damage and get in the news, and it works," he said.
Their successes also shine a light on how any website, no matter its size or affiliation, can wind up in the crosshairs of an attack.
"The mentality of, 'Well, we're not really important, it's not going to happen to us,' is really dangerous, as more and more people are learning," Kipp said.
Automated programs, set loose on the Internet by hackers, are constantly probing websites for vulnerabilities, Kipp said. Perhaps a program scans a thousand addresses and finds 30 that show promise.
"Then they'll step it up against those guys until they get some compromised, until they can actually get in and do something," Kipp said.
Web hosting providers and network administrators build defenses to withstand the barrage, but all that work can be undone by the careless behavior of others. Passwords are made too simple. Employees access work accounts on personal laptops infested with malware, or they open suspicious emails and click on links planted by hackers.
"The individuals need to be a lot more responsible and think about it more," Kipp said.
Gray said Isle of Wight's website might have been breached through a user's account or a vulnerability in WordPress, the content management system that the county uses for its site. Internet traffic at the time of the breach traced back to Algeria, so Gray has blocked a range of IP addresses from there, though he noted hackers can easily spoof or mask addresses to try to cover their tracks.
The county also updated its software, removed unnecessary user accounts and strengthened its passwords, he said. The fallout was minor; the hackers had no access to sensitive information, and undoing their work only involved replacing a file, Gray said.
Victims are not always so lucky.
Kipp said Sera-Brynn last year helped a Hampton Roads-based service provider that had malware running wild following a security lapse, leading to the theft of thousands of records. The company, which Kipp declined to name, is doing fine, but the breach probably cost it $250,000, he said.
©2015 The Virginian-Pilot (Norfolk, Va.) Distributed by Tribune Content Agency, LLC
