No website is an impenetrable fortress. Ad-hoc security measures are not good enough.
The integrity and security of official websites are very important because they represent the reputation and trustworthiness of organizations. Incidences of website-attacks may shake the confidence of investors and customers towards that organization. Thus, protecting and preserving corporate websites should be a priority for all organizations.
According to Zone-H, an archive of defaced websites, there are 60,000 to 120,000 of website defacement incidents every month on a global scale. Many organizations may not be aware that their websites are vulnerable to malicious threats and hacks, thus making them easy targets for vandalism or cyber-thefts.
Even for organizations that are aware of the need for securing websites, efforts towards cyber security can often be ad-hoc or patch-work. A comprehensive approach is needed to be able to guard against and respond swiftly to cyber threats effectively, and the steps involved in this cycle are explained further in this article.
1. Security review
The first step in securing websites is to conduct a thorough review to identify security loopholes. This can be done by using security scanning tools or hiring expert security consultants to review the websites. Loopholes identified through this step should be fixed up as soon as possible. Security reviews should be scheduled and carried out at least once every six months.
After the security review, measures should be put in to protect the website. It is important to have web application firewalls (WAF) in addition to network firewalls. WAFs provide filters that apply a set of rules to an HTTP conversation. WAFs are able to detect and prevent common “Layer 7” web application attacks such as cross-site scripting (XSS) and SQL injections.
No protection is full-proof, especially since cyber threats morph very fast, and hacking methods are ever-changing. Therefore, it is important to have a proactive detection mechanism in the unfortunate event that the website is defaced or breached. Sometimes, defacement to a website is first detected by external parties, such as members of the public or a customer, before the internal team gets wind of it. Such a situation could be a major embarrassment and could do damage to the reputation of the organization. Thus, proactive monitoring will allow the organization’s security team to act quickly before external parties discover the security breach, to maintain a good reputation. Monitoring and detection can be done manually, by having someone to scan web pages on a regular basis. There are also automated software that can help to scan websites, and provide reports, as frequently as every few minutes.
4. Response and Recovery
Organizations need to work out an incident response and recovery plan before website defacement or security breach happens. Such “crisis management plans” could include backing up web servers, creating temporary landing pages, etc. It is important to note that security vulnerabilities should be remedied before restoring from backups, so as to prevent repeat incidences of the same type of security breaches. The affected organization can consider having secure temporary landing pages on stand-by. This way, the organization can consistently show a decent corporate website, even in the face of attacks, and have time to do back-end incident handling and forensics processes.
After the “response and recovery” stage, the organization should go back to the first step of doing a “security review”, so as to plan for and prevent future attacks. Thus, the job of securing websites can be done effectively, if it is viewed as a continuous process of ongoing activities mentioned above.
It is worthwhile to note that many organizations have poor change controls in place for websites as many of these changes are administered by different people such as corporate communications, marketing, administrator, webmaster, etc. It is thus important to get these personnel to work closely with the security team to have a tight change management process. The combination of people, process and technology will always provide the best combination of security against attackers.