Maksim Kabakou - Fotolia
Digital transformation strategies have changed the ways public and private sector organisations use technology to improve products and services. Although hugely beneficial to consumers and businesses alike, these strategies and resulting web services have brought significant challenges to those responsible for securing digital information and technology.
The web provides a window between your organisation and your customers/partners/suppliers/citizens – but it is fraught with security demands.
Consider the layers involved. A web server has a range of ports, applications and services – plus website code – to enable interaction. Any of these layers could be permeated with security holes; the web server might not have the right combination of settings, the settings on each port may not be appropriate, an application could contain security flaws, the website code might include vulnerabilities – and so it goes on.
Additionally, authorised users will require a range of permissions according to requirements. It is easy to see why web security is such a complex issue.
The easiest way to deal with web security is to switch off the web server – rarely an acceptable option. As such, at the ISF [Information Security Forum] we recommend that organisations take a risk-based approach to web security. Even the most well-staffed information security functions still need to prioritise security issues.
When prioritising, review the layers of web security. Specialised procedural and technical controls should be applied to browser-based applications and the servers on which they run, to minimise the risks.
Website content should be protected against corruption or unauthorised disclosure. This can include setting strict file permissions, restricting updates to a limited number of authorised individuals, using approved and secure methods of applying updates, and regularly reviewing content to ensure that it is accurate and appropriate (e.g. hyperlinks are valid and functional and that vulnerabilities have not been introduced).
Read more about improving web security
Engaging with website visitors will usually allow the visitor to enter information. This information could cause damage unless the code supporting the entry of information checks for potentially harmful content. Furthermore, sensitive information in transit should be protected against unauthorised disclosure by using encryption (e.g. SSL [secure sockets layer]) with approved certification.
The potential disclosure of information about system configuration should also be looked at. Consider suppressing or modifying the server field in HTTP [hyper text transfer protocol] headers, preventing the source code of server-side executables and scripts from being viewed by a web browser, and ensuring that program source code does not contain unnecessary information.
Web servers should also be configured to record actions performed and log security-related events generated by the website. Also consider registering domain names that could be used to masquerade as your organisation (to help prevent phishing attacks).
Should the worst happen and your web security fails, dealing with a compromise is the next consideration. Incident management, business continuity, cyber resilience and crisis management are essential to improve resilience against a broad range of threats including serious cyber attacks and low-probability, high-impact events that can threaten an organisation.
The web provides organisations, customers, citizens, partners and suppliers with opportunities to connect, engage and be more efficient. However, these opportunities must be met with security controls that protect everyone and everything involved.