Best practices for securing agency websites
- By (ISC)2 Government Advisory Council Executive Writers Bureau, Lee Kim
The internet has become a necessity for virtually all public- and private-sector organizations. Much like electricity and water, today's organizations need internet connectivity and a website to function.
In the 1990s, the internet was a much smaller place. There were relatively few websites, and they were not necessarily user friendly. In 1995, only 3 percent of online users had experience signing on to the world wide web.
In the early days of the web, firewalls, anti-virus software and encryption (e.g., SSL, PGP, etc.) existed, but the threat landscape was not as robust as it is today. On occasion, one would hear about malware such as the Melissa virus, but such events were few and far between. Hackers back then tended to swim in their own lane; they were associated more with trading “warez” (i.e., pirated software) and phone phreaking. The typical internet user, or system, web or database administrator was focused on functionality. Coding HTML by hand was not uncommon, and coding web scripts was a fairly simple task. Simple website counters, guestbooks and comment forms were the norm.
Fast forward to today, and the web has grown to over 1 billion websites. While websites have grown incredibly complex and become a part of our virtual lives, most users and website operator are still focused on functionality. Arguably, there are internet users and website owners concerned about security because of headlines about rampant cyberattacks, data leaks and breaches. But, not all are proactively securing their websites.
Websites can be a treasure trove for attackers. Indeed, many websites have back-end databases that house valuable (and oftentimes sensitive) information. A government website, for example, may be connected to a database with sensitive personally identifiable information, trade secrets, competitive business information, or other types of proprietary and/or sensitive information. It's only a matter of time before a determined attacker will “punch through” a website to the servers, applications and back-end databases that are not fully patched or upgraded and exfiltrate the data. In addition, the attacker may steal login credentials from web applications. To the extent that credentials are reused (or substantially similar credentials are used), an attacker in possession of such information may have the “keys to the kingdom” (i.e., an agency’s computer systems).
Further, a web server may be connected to other machines in an agency's network. An attacker that compromises the external-facing web server can use that compromised machine to pivot to other computers in the agency or even other networks that agency machines may have trusted access and connectivity to.
To further secure agency websites, IT managers should consider the following best practices:
Monitor website traffic to learn what is normal and what is not. Most firewalls allow web traffic to egress from TCP ports 80 and 443, so watch those ports for malicious traffic. A change in traffic, computer resources use or bandwidth may warrant a further investigation.
Regularly review website content and code for unauthorized changes that can hide malicious code that an attacker may have placed on a system for purposes such as denial of service, command injection or remote code execution.
Monitor files on the web server, including the integrity of such files. Look for unusual binaries or changes in your files that may signal a malicious program may have replaced a benign one.
Secure web application and web server accounts with unique and complex passwords, and do not store such passwords in insecure places, whether on paper or in a computer file.
Update web servers, web applications and web databases regularly and quickly after the release of a significant security update.
Review risk assessments to ensure they include web servers, web applications and back-end databases.
Run penetration tests for website security, including vulnerabilities to SQL injection, NoSQL injection, cross-site scripting, SSL/ TLS attacks, etc.
By being more vigilant and proactive with web server, application and database security, IT managers can make agencies less attractive targets to hackers. With policies that combine defense-in-depth and thinking like an attacker, agencies can better defend their systems in today's evolving cyber threat landscape.