Website Security

Ref# Maintain | Date: Nov 1st 2018

Description

Website security is any action or application taken to ensure that personal and organisational public-facing websites are not exposed to cybercriminals.

Why should you care about website security?

Cyber attacks against public-facing websitesregardless of sizeare common. An attack on a company website could

  • Cause defacement– this can be done by hackers who break into a web server and replace the hosted website with one of their own,
  • Cause a denial-of-service (DoS) condition– this scenario occurs when the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.
  • Enable the attacker to obtain sensitive information, or
  • Enable the attacker to take control of the affected website.

These attacks can put an organisation at risk of theft or loss of trust from clients or customers.

How can you improve your cybersecurity protection against website attacks?

Organisations and individuals can protect their websites by applying the following  best practices to their web servers:

  • Implement the principle of least privilege. Interactive end users and service accounts should be given limited access to the web server. 
  • Use multifactor authentication. Multifactor authentication should be implemented for user logins and the website infrastructure.
  • Change default vendor usernames and passwords. Default credentials are usually readily available on the internet. Changing default usernames and passwords will prevent an attack that leverages default credentials.
  • Disable unnecessary accounts. Disable accounts that are no longer necessary, such as guest accounts or individual user accounts that are no longer in use.
  • Use security checklists. Audit and harden configurations based on security checklists specific to each application (e.g., Apache, MySQL) on the system.
  • Use application whitelisting. Use application whitelisting and disable modules or features that provide capabilities that are not necessary for business needs.

References

  • Website Security

            https://www.us-cert.gov/ncas/tips/ST18-006