NIS2, Are you on scope?
Belgium's new cybersecurity law enters into force. Check it out now.
Websites are an important business asset for organisations. Any customer or prospect can access it and with this, services offered and information about a company are available anytime, anywhere. With all the potential visitors it can have, a website has become an attractive target for cybercriminals. They can use the website for multiple malicious purposes, such as accessing sensitive data, using its bandwidth for criminal activities, posting illegal content, phishing, defacement or denial of services. The consequences can be disastrous for a company in terms of reputation and financial loss.
Using a “defence in depth” approach, the website can be protected by setting up independent methods to secure not only the software and hardware of the server, but also its hosting infrastructure. Those methods can include, for example, a firewall, an application firewall, an antivirus, etc. Combined, they aim at protecting the server against common cyber threats (e.g., malware, DDoS, etc.). If the website hosting is externalised, make sure the provider has sufficient security controls in place to ensure that protection.
A particular protection method to include within the defence in depth approach is to set up a Web Application Firewall. This firewall protects the web application server from various attacks such as phishing, ransomware, malware and DDoS (Distributed Denial of Service) attacks by monitoring the incoming and outgoing network traffic and allowing or denying communications based on defined security rules.
The Web Application Firewall acts as a controller between the server and the client and by decrypting the traffic, it will analyse the users’ requests to access the network. This way, if it detects something suspicious according to its configurations rules, it can generate alerts and send them to the organisation’s IT Responsible and their team so they can decide which actions to take next.
The Web Application Firewall protects against attacks that are coming from the web. It doesn’t replace a Perimeter Firewall, which will block unauthorised access and detect attacks coming from other entry points.
Only the necessary services for the server should be configured, everything else should be forbidden to avoid unused and potentially dangerous access points. Additionally, specific rules can be implemented such as IP address filtering or unauthorising specific file format.
Finally, all unused services and features should be disabled or limited in order to reduce the probability of a getting hacked.
As with all information and technology systems, updates to the web server components are crucial to make sure any known vulnerabilities is remediated, giving cybercriminals no chance to exploit them.
The typical components of a web server include:
* The BIOS/firmware of the hardware the server is running on;
* The operating system of the server;
* The actual web service used (e.g., Apache, nginx, IIS, etc.);
* The content management system (e.g., Drupal, Joomla, WordPress, etc.);
* Optionally, the virtualisation layer.
Very few companies build their website from scratch. They usually use third parties that come with a great amount of plugins and themes. Make sure to also keep those up to date. The developers from the third parties are constantly looking for new vulnerabilities, making the updates is thus crucial to have the least vulnerable version of the components being used.
One of the important steps to take to secure the Content Management System is to keep it and its plugins up-to-date. Cybercriminals always look for new vulnerabilities to exploit, however security patches are released through the vendors’ updates to fix those vulnerabilities. It is thus important to make the updates as soon as they are available.
In addition, the CMS can be protected by not using any default configuration for accounts and passwords, but creating your own admin account with a strong enough password and in addition the use of Multi-Factor Authentication (MFA). MFA requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.
Also, security plugins need to be installed and enabled on the CMS. Those plugins prevent brute-forcing (i.e. an attacker submit many passwords or passphrases hoping to guess it correctly and gain access to user accounts) and common web attacks.
Finally, a regular review of the user list must be integrated in the access management process. Check at regular interval who are the persons with editing or administrative rights on your website and disable any accounts that are no longer used or relevant.
The review of the user list apply not only to users having access to the CMS, but also to every user within an organisation in general. This review will allow to check that no test users are still active, and that no users that shouldn’t be there were added.
The HTTPS protocol is used on the Internet for secure communication and data transfer over a computer network. It is the secured version of HTTP. Just like HTTP, HTTPS is used to send data between a web browser and a web server. The difference is that HTTPS encrypts the data to increase the security of the transfer. Through the encryption of all exchanges happening between a web browser and a web server, HTTPS ensures that no outsider can eavesdrop the ongoing communications. In fact, even if an attacker is able to intercept the data, as it is encrypted, they will not be able to understand it nor use it.
Data is one of the most valuable assets an organisation has. This is why it should be protected accordingly. It is important to encrypt the data at rest (i.e., when stored in the database) and strictly control the access to the database.
In addition, those databases should be backed up to make sure that even if an incident occurs, all important data can still be recovered. It is important to regularly test those backups to confirm that they can actually be used if needed, after an incident.
In addition to databases, make sure to also backup the website and its configuration. Those backups should also be tested to confirm they can ensure a recovery if needed.
Directory browsing offers the possibility for people visiting a website to access its repository content, i.e., all the files and folders. Directory browsing should be disabled so attackers cannot randomly find the data by simply using search engines. In addition, files shouldn’t use default or public accessible locations.
It is very common for cyber criminals to use an existing account to get access to a company’s resources. The access control management process should be well established and implemented within an organisation. It is important to apply the basic principles of least privilege and need-to-know: a user should only get the accesses they require to perform their job, nothing additional.
In addition, a user access provisioning process defining the procedure to remove or change the access granted to an employee when they switch position or leave the company should also be implemented. An insider attack can always happen, no matter how loyal the
collaborators were at a certain point of time. Their feelings towards the company might always change if they didn’t leave willingly.
Finally, secure the access by using strong passwords, different for each account, and implementing Multi-Factor Authentication wherever possible.
Testing a website for well-known vulnerabilities is a great way to establish whether it is ready to go live or not, from a security point of view. Identifying existing vulnerabilities beforehand gives more time to fix them, without any damage. You can get help from experts, used to doing penetration tests and audits, to assess your website security.
Monitoring activities related to, for example, the content management system, logins or file submission can help identify rapidly any suspicious activity and take the necessary actions to remediate it.
The aim of this content is to share and raise awareness of good cyber security practice.
Some of this advice may apply differently depending on the context of your organisation.
Always comply with the policy and instructions in force in your organisation.
If in doubt, always ask your IT manager for advice first.