Website security refers to the protection of personal and organisational public-facing websites from cyberattacks.
Why should I care about website security?
Cyberattacks against public-facing websites —regardless of size —are common and may result in:
Loss of website availability or denial-of-service (DoS) condition,
Compromise of sensitive customer or organizational data,
An attacker taking control of the affected website, or
Use of website as a staging point for watering hole attacks.
These threats affect all aspects of information security —confidentiality, integrity, and availability —and can gravely damage the reputation of the website and its owner. For example, organisation and personal websites that fall victim to defacement, DoS, or data breach may experience financial loss due to eroded user trust or a decrease in website visitors.
What steps can my organisation take to protect against website attacks?
There are multiple steps organisations and security professionals should take to properly secure their websites. Note: organisations should talk to their website hosting provider or managed service provider to discuss roles and responsibilities for implementing security measures.
1. Secure domain ecosystems
Review registrar and Domain Name System (DNS) records for all domains.
Change all default password that were provided from your domain registrar and DNS.
Default credentials are not secure —they are usually readily available on the internet. Changing default usernames and passwords will prevent an attack that leverages default credentials.
Enforce multi-factor authentication (MFA).
Monitor certificate transparency logs.
2. Secure user accounts
Enforce MFA on all internet-accessible accounts — prioritising those with privileged access.
Implement the principle of least privilege and disable unnecessary accounts and privileges.
Change all default usernames and passwords.
3. Continuously scan for — and remediate — critical and high vulnerabilities
Patch all critical and high vulnerabilities within 15 and 30 days, respectively, on internet-accessible systems. Be sure to scan for configuration vulnerabilities in addition to software vulnerabilities.
Enable automatic updates whenever possible.
Replace unsupported operating systems, applications, and hardware.
4. Secure data in transit
Disable Hypertext Transfer Protocol (HTTP); enforce Hypertext Transfer Protocol Secure (HTTPS) and HTTP Strict Transport Security (HSTS).
Website visitors expect their privacy to be protected. To ensure communications between the website and user are encrypted, always enforce the use of HTTPS, and enforce the use of HSTS where possible. Preload HSTS for all domains, when possible.
Disable weak cyphers (SSLv2, SSlv3, 3DES, RC4).
5. Backup data
Employ a backup solution that automatically and continuously backs up critical data and system configurations from your website.
Keep your backup media in a safe and physically remote environment.
Test disaster recovery scenarios.
6. Secure web applications
Identify and remediate the top 10 most critical web application security risks; then move on to other less critical vulnerabilities. (Refer to OWASP Top 10for a list of the most critical web application security risks.)
Enable logging and regularly audit website logs to detect security events or improper access.
Send the logs to a centralised log server.
Implement MFA for user logins to web applications and the underlying website infrastructure.
7. Secure web servers
Use security checklists.
Audit and harden configurations based on security checklists specific to each application (e.g., Apache, MySQL) on the system.
Use application allow listing and disable modules or features that provide capabilities that are not necessary for business needs.
Implement network segmentation and segregation.
Network segmentation and segregation makes it more difficult for attackers to move laterally within connected networks. For example, placing the web server in a properly configured demilitarised zone (DMZ) limits the type of network traffic permitted between systems in the DMZ and systems in the internal corporate network.
Know where your assets are.
You must know where your assets are in order to protect them. For example, if you have data that does not need to be on the web server, remove it to protect it from public access.
What are some additional steps to protect against website attacks?
Sanitise all user input. Sanitise user input, such as special characters and null characters, at both the client end and the server end. Sanitising user input is especially critical when it is incorporated into scripts or structured query language (SQL) statements.
Increase resource availability. Configure website caching to optimise resource availability. Optimising a website’s resource availability increases the chance that it will withstand unexpectedly high amounts of traffic during DoS attacks.
Implement cross-site scripting (XSS) and cross-site request forgery (XSRF) protections.Protect website systems, as well as website visitors, by implementing XSS and XSRF protections.
Audit third-party code. Audit third-party services (e.g., ads, analytics) to validate that no unexpected code is being delivered to the end user. Website owners should weigh the pros and cons of vetting the third-party code and hosting it on the web server (as opposed to loading the code from the third party).