Maksim Kabakou - Fotolia

Security Think Tank: Web security guidelines from FS-ISAC

What are the main web security challenges for organisations and how are they best addressed?

Today’s CISO is juggling a lot – new attacks are emerging every day across a variety of channels and keeping up is no easy task, even if you are blessed with a large security team.

Whether your team is large or small, here is a quick cheat sheet of main web security challenges and how they could be best addressed:

Challenge 1: Protection vs functionality

The conflict between usability and security is nothing new. It is easy for the eager IT security person to block certain functionality across the board to keep all the bad stuff out, but a thoughtful IT security person will know not everything can be blocked because you run the risk of blocking critical functionality for your business – like access to corporate email, business applications, or even Google!

While there won’t be a one-size-fits-all solution to web security, each organisation has different access and security needs – network segmentation may help.

Think about cutting off the data, not the employee, from the web. If you have critical, valuable data, it should not be on a device that connects to the open internet.

Talk to your employees to understand what they need to access for their work and find out how that can be done in the most secure way. In short, balancing security and functionality is a security DO.

Challenge 2: Static controls, dynamic web content

More traditional measures for web security just don’t cut it with today’s internet. Static standards like black/whitelisting and URL filtering are not sufficient with the speed of content creation on the web today. Unfortunately, this speedy growth means that these new tailored websites can be vulnerable.

Hastily developed websites are not designed with security in mind and are open to many exploits like SQL injection (SQLi) and cross-site scripting (XSS) just to name a few. The data you do not want to be exposed could be sucked right out of your organisation if left unpatched.

Vulnerabilities left in exposed applications can also create additional hazard like several recent breaches have exposed.

These vulnerabilities are not just a problem for website owners but anyone who visits these compromised sites – or their company’s security team – can become a victim with watering hole or drive-by attacks where users get infected with malware just for visiting the site.

How does your organisation determine if a site is safe and do your controls reflect the explosive pace of content creation online? Dynamic security controls to address dynamic threats is a security DO.

Challenge 3: Human habits

People have been programmed to click on links and open attachments, especially if they think it is from a trusted source, and many organisations rely on links and attachments to function. Because of this, phishing attacks are a major threat to organisations. According to research this year by Cylance, malicious attachments and links are the most common attack vectors in organisations.

As much as you might like to, you cannot block all attachments or links without bringing work to a stop. Train employees about risks and empower them to avoid malicious links or attachments. On the other side, plan as if your employees will open every attachment and visit every site that you wish they wouldn’t with anti-malware protection and multi-factor authentication.

If they accidentally enter their password into a phishing site, multi-factor authentication acts as another layer of defence. Plan for the worst, train for the best. Creating security programs that acknowledge human habits is a security DO.

Web security is a complex and critical component of any enterprise security program. Organisations’ reliance on the web for daily operations is not going anywhere, and the threats aren’t either.

Phishing and ransomware attacks are on the rise. Defending against these threats requires keen knowledge of your organisation’s risks and needs. You need the right solutions, the best security professionals and wide-spread buy-in in the organisation. Aligning your security controls with the reality of the web security issue in your organisation is a security DO.

Read more on Hackers and cybercrime prevention