Maksim Kabakou - Fotolia

Security Think Tank: Three areas of web security challenges

What are the main web security challenges for organisations and how are they best addressed?

Very few companies these days are without a website and those websites provide a portal from the internet that the bad people can exploit to attack a company’s infrastructure including the website itself. The security challenges posed by a web presence fall into the three broad categories of legal, technical and operational.

On the legal side you need to have a privacy policy identifying what personal data is collected, how that data will be used and who that data might be shared with and why. The policy should be made compliant with the General Data Protection Regulation (GDPR) for which the compliance deadline is 25 May 2018, but this will require you to track GDPR guidance as it becomes available.

Your website should also should have a terms of use statement identifying what visitors to the site can and cannot do, unlawful or prohibited use etc. Most major company websites exhibit good practice in this area so take a look and see what they have done. Remember that cookies, the IP address of a user and other data that you capture from a user such as their email address is classified under GDPR as personal data.

Technically, you need to ensure that the website and associated support infrastructure and systems are running current supported operating systems, applications and firmware, and these should be maintained with applicable security patches as and when available.

The infrastructure and systems architecture supporting a company’s Internet presence needs to ensure good separation from the main company network, e.g. through the use of firewalls, demilitarised zones (DMZ), proxies, virus/malware detection and protection systems and uniquely different IP address ranges for the DMZ and main network.

Particular care needs to be taken where the web site has access to systems on the company’s main network such as in eCommerce sites. Here you need to ensure that data incoming from a user is properly bounded (number of characters, permissible characters), that boundary checking should be done on the web server or associated system and not in a user’s browser and any garbage collection routine (should the data be outside of the boundary) should be tested for effectiveness.

You should be capturing log files of significant (security) events and preferably store those on a separate server where they can be made available to log analysis software. User data captured by the website is classified as personal data under GDPR and needs to be stored and protected as such.

Operationally ensure that website (X.509) certificates are up to date and that the WHOIS information held by your certificate supplier is current. Also do ensure that firewall rule sets are fit for purpose and that any virus/malware detection and protection systems are maintained and up to date.

Log analysers should be used to identify potential issues such as unusually high CPU usage or unusual flow of high volumes of data. Recent Think Tank articles have covered the subject of log analytics. Regular IT Security Health Checks (ITSHC) should be run and should cover not just penetration testing from the internet but a detailed scan and analysis of systems behind the firewall.

I recommend an ITSHC at least annually and preferably every six months augmented with internet only penetration testing on a monthly basis, more frequently if paranoid or required by external regulations or clients.

Where some or all of a company’s web site operation are outsourced, ensure that the contracts fully address all security and GDPR requirements. Saying, in effect, “over to you” is woefully inadequate. The requirements need to be spelt out and in detail together with a right to audit.

Finally, ensure that the people running a company’s operation are appropriately skilled and that those skills are maintained.

Read more on Hackers and cybercrime prevention