Ryan Boudreaux offers some resources that are widely available to organizations that need to harden their website security. A checklist will help guide your security strategy.
Recent reports of cyberattacks have been recounted from several large public facing media organizations such as The Wall Street Journal (WSJ), The Washington Post (WP), and The New York Times (NYT), and from all accounts it appears that several of the hacking attacks have been ongoing for several months or years. Progressing through these stories it was determined that Chinese hackers had been infiltrating their systems, over a four month period for NYT, furthermore, the WSJ claims that it has faced a multitude of hacking threats from China during the past few years.
You might think your website is not likely to be the target of an international hacking gang, but that doesn't mean you shouldn't be prepared for all the other random exploits making the rounds. This article will review several national responses and the resources they've made available for organizations. I also include a checklist of things that you can do to help prevent or reduce the risk of your website or internal infrastructure and systems being the target of a concerted cyberattack.
The national response
It has been suggested that The President has the power to launch a "pre-emptive strike" on computer networks if the United States detects credible evidence of an imminent major digital attack from abroad, according to officials involved in a secret legal review as reported in NYT. In addition, the United States National Security Council (NSC) Cybersecurity division has stated that the global cyber threat is one of the most serious economic and national security challenges we face as a nation today. In response to the growing threat, the President directed another review of the nation's information and communications infrastructure, which resulted in the Cyberspace Policy Review (PDF).
The Department of Homeland Security (DHS) Cybersecurity team maintains a team of skilled cybersecurity professionals and partners with the private sector to fight against cybercrime. DHS has been able to effectively respond to cyber incidents, provide technical assistance to owners and operators of critical infrastructure, and disseminate timely and actionable notifications regarding current and potential security threats and vulnerabilities. The DHS has what it calls the Stop. Think. Connect. Campaign, which is a national public awareness campaign aimed at increasing the understanding of cyber threats and empowering the American public to be safer and more secure online. The campaign has a broad spectrum audience including students, parents, educators, young professionals, older Americans, government, industry, small business, and law enforcement.
The Federal Communications Commission (FCC) provides a Cybersecurity for Small Business website that offers 10 Cyber Security Tips for Small Businesses along with a Cybersecurity Tip Sheet (PDF) for small businesses. The website also provides additional resources to information about government agencies and private organizations that have educational resources and tools related to cybersecurity. The FCC also provides the Custom Small Biz Cyber Planner 2.0, which allows you to create a custom plan for guarding against growing cyber threats. The Cyber Planner allows you to create a cover sheet with your company name, city and state, then select from a list of topics to include in your custom cyber security planning guide. Topics include Privacy and Data Security, Scams and Frauds, Network Security, Website Security, Email, and more. This guide is not a substitute for consulting trained cyber security professionals.
The National Initiative for Cybersecurity Education (NICE) is a national campaign designed to improve the cyber behaviors, online skills, and knowledge of every segment of the population, enabling a safer cyberspace. The NICE organization provides awareness, education, workforce structure, and training & professional development led by the Department of Defense (DoD), Office of the Director of National Intelligence (ODNI), and the Department of Homeland Security (DHS).
How can you respond?
What can you do as an organizational stakeholder to prevent or reduce the risk of your website or internal systems being the target of a concerted cyberattack? Architecting your own cyber security plan is a challenge, but not an impossible task to manage. Web servers are just as vulnerable as any other systems within an organization's network infrastructure. Your security is only as strong as the weakest link of what lies behind the firewall. I've recorded a checklist of items that should be included in any cybersecurity plan, in particular, for web servers and website security. This starter checklist is based on the typical best practices provided within known cyber planning systems.
Internal network, website and web server security checklist
- Secure internal network and cloud services: Anti-virus software and intrusion detection systems should be incorporated within your infrastructure. Border routers should be configured to only route traffic to and from your company's public IP addresses; in addition, firewalls should be deployed which restrict traffic only to and from the minimum set of necessary services. Furthermore, intrusion detection and prevention systems should be configured to monitor for suspicious activity crossing your network periphery.
- Develop strong password policies: Typically a two-factor authentication method which requires two types of evidence that you are who you claim to be are usually safer than using just static passwords for authentication. Strong passwords are random, complex (including letters, numbers, and special characters), long (at least 10 characters), changed regularly (at least every 90 days), and are closely guarded.
- Set safe web browsing rules: Use safe browsing features included with modern updated web browsing software and include a web proxy server to ensure that malicious or unauthorized sites cannot be accessed from your internal network.
- Ensure your remote access is secure: If your organization does require remote access to the internal network ensure that you utilize a secure Virtual Private Network (VPN) connection, again, using a two-factor authentication method.
- Carefully plan and address security aspects of public facing web servers: Identify the types of personnel required to have access to administer, maintain, and perform regular activities.
- Execute suitable security management practices and controls when maintaining and operating a secure web server: Practices include a system-wide information security policy, server configuration and change control management, risk assessment and management, standard software configurations, security awareness and training, certification and accreditation.
- Guarantee that web server operating systems meet standard and current security requirements: This means that all security and upgrade patches are performed on a regular basis, default passwords are changed, unnecessary services or applications are removed or disabled, operating system user authentication is configured correctly, resource controls are configured, and security testing of the operating system is performed regularly.
- Ensure that only appropriate content is published on your website: Carefully examine what information should be published for public access, and which information and resources needs to have limited or restricted access. Examples of the types of data that should be protected include classified and proprietary business information, medical records, detailed physical and security information.
- Ensure appropriate steps are taken to protect web content from unauthorized access or modification: Ensure that information cannot be modified without authorization, and this includes:
- Limiting uploads to a directory that is not readable by the web server
- Defining a single directory for external scripts or programs executed as part of web content
- Disabling the use of hard or symbolic links
- Define a complete web content access matrix identifying which folders and files in the web server document directory are limited, which are available, and by whom
- Disable directory listings
- Employ intrusion detection and prevention systems and file integrity checkers to spot intrusions.
- Protect each backend server (i.e., database server or directory server) from command injection attacks.
This is a starter checklist for what should be part of a more comprehensive cyber security plan and system within your organization. Do you know how secure your website servers are within your organization?
Here are some other security-related posts on TechRepublic that you might want to check out: