Maksim Kabakou - Fotolia
Very few companies these days are without a website and those websites provide a portal from the internet that the bad people can exploit to attack a company’s infrastructure including the website itself. The security challenges posed by a web presence fall into the three broad categories of legal, technical and operational.
Technically, you need to ensure that the website and associated support infrastructure and systems are running current supported operating systems, applications and firmware, and these should be maintained with applicable security patches as and when available.
The infrastructure and systems architecture supporting a company’s Internet presence needs to ensure good separation from the main company network, e.g. through the use of firewalls, demilitarised zones (DMZ), proxies, virus/malware detection and protection systems and uniquely different IP address ranges for the DMZ and main network.
Particular care needs to be taken where the web site has access to systems on the company’s main network such as in eCommerce sites. Here you need to ensure that data incoming from a user is properly bounded (number of characters, permissible characters), that boundary checking should be done on the web server or associated system and not in a user’s browser and any garbage collection routine (should the data be outside of the boundary) should be tested for effectiveness.
You should be capturing log files of significant (security) events and preferably store those on a separate server where they can be made available to log analysis software. User data captured by the website is classified as personal data under GDPR and needs to be stored and protected as such.
Read more Security Think Tank articles about improving web security
Operationally ensure that website (X.509) certificates are up to date and that the whois information held by your certificate supplier is current. Also do ensure that firewall rule sets are fit for purpose and that any virus/malware detection and protection systems are maintained and up to date.
Log analysers should be used to identify potential issues such as unusually high CPU usage or unusual flow of high volumes of data. Recent Think Tank articles have covered the subject of log analytics. Regular IT Security Health Checks (ITSHC) should be run and should cover not just penetration testing from the internet but a detailed scan and analysis of systems behind the firewall.
I recommend an ITSHC at least annually and preferably every six months augmented with internet only penetration testing on a monthly basis, more frequently if paranoid or required by external regulations or clients.
Where some or all of a company’s web site operation are outsourced, ensure that the contracts fully address all security and GDPR requirements. Saying, in effect, “over to you” is woefully inadequate. The requirements need to be spelt out and in detail together with a right to audit.
Finally, ensure that the people running a company’s operation are appropriately skilled and that those skills are maintained.