Malicious files and links regularly bypass security products, leaving many organizations vulnerable to web-based attacks including Ransomware, Phishing and data breaches like Emotet, Dridex, Maze, Lokibot, Wannacry etc. Organizations can enhance security against website attacks by following cyber security best practices like the implementation of a multi-layered security concept known as Defense-in-Depth.
Following the recommendations of the Cybersecurity and Information Security Agency (CISA) encouraging website administrators to review it’s updated “Tip on Website Security”, we are using this article as a public service educational piece with the hope that it will help those who manage websites for small organizations to take the necessary steps to protect against website attacks.
What is website security?
Website security refers to the protection of personal and organizational public-facing websites from cyber attacks.
Why should I care about website security?
Cyber attacks against public-facing websites—regardless of size—are common and may result in:
- Website defacement,
- Loss of website availability or denial-of-service (DoS) condition,
- Compromise of sensitive customer or organizational data,
- An attacker taking control of the affected website, or
- Use of website as a staging point for watering hole attacks.
These threats affect all aspects of information security—confidentiality, integrity, and availability—and can gravely damage the reputation of the website and its owner.
For example, organization and personal websites that fall victim to defacement, DoS, or data breach may experience financial loss due to eroded user trust or a decrease in website visitors.
What steps can my organization take to protect against website attacks?
There are multiple steps organizations and security professionals should take to properly secure their websites.
Note: organizations should talk to their website hosting provider or managed service provider to discuss roles and responsibilities for implementing security measures.
1. Secure domain ecosystems
Review registrar and Domain Name System (DNS) records for all domains.
- Change all default password that were provided from your domain registrar and DNS.
Default credentials are not secure—they are usually readily available on the internet. Changing default usernames and passwords will prevent an attack that leverages default credentials. - Enforce multi-factor authentication (MFA).
- Monitor certificate transparency logs.
2. Secure user accounts to protect against website attacks
- Enforce MFA on all internet-accessible accounts—prioritizing those with privileged access.
- Implement the principle of least privilege and disable unnecessary accounts and privileges.
- Change all default usernames and passwords.
3. Continuously scan for—and remediate—critical and high vulnerabilities
Patch all critical and high vulnerabilities within 15 and 30 days, respectively, on internet-accessible systems. Be sure to scan for configuration vulnerabilities in addition to software vulnerabilities.
- Enable automatic updates whenever possible.
- Replace unsupported operating systems, applications, and hardware.
4. Secure data in transit to prevent website attacks
- Disable Hypertext Transfer Protocol (HTTP);
- Enforce Hypertext Transfer Protocol Secure (HTTPS) and HTTP Strict Transport Security (HSTS).
Website visitors expect their privacy to be protected.
To ensure communications between the website and user are encrypted, always enforce the use of HTTPS, and enforce the use of HSTS where possible. - Disable weak cyphers (SSLv2, SSlv3, 3DES, RC4).
Note: In cryptography, a cypher (or cipher) is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure. An alternative, less common term is encipherment. To encipher or encode is to convert information into cipher or code.
5. Backup data so you can recover from website attacks
Employ a backup solution that automatically and continuously backs up critical data and system configurations from your website.
- Keep your backup media in a safe and physically remote environment.
- Test disaster recovery scenarios.
6. Secure web applications
Identify and remediate the top 10 most critical web application security risks like the OWASP Top 10 list of the most critical web application security risks; then move on to other less critical vulnerabilities.
- Enable logging and regularly audit website logs to detect security events or improper access.
- Send the logs to a centralized log server.
- Implement MFA for user logins to web applications and the underlying website infrastructure.
7. Secure web servers against website attacks
- Use security checklists.
- Audit and harden configurations based on security checklists specific to each application (e.g., Apache, MySQL) on the system.
- Use application whitelisting and disable modules or features that provide capabilities that are not necessary for business needs.
- Implement network segmentation and segregation.
Network segmentation and segregation makes it more difficult for attackers to move laterally within connected networks. For example, placing the web server in a properly configured demilitarized zone (DMZ) limits the type of network traffic permitted between systems in the DMZ and systems in the internal corporate network.
Know where your assets are
You must know where your assets are in order to protect them. For example, if you have data that does not need to be on the web server, remove it to protect it from public access.
What are some additional steps to protect against website attacks?
- Sanitize all user input Against Website Attacks
Sanitize user input, such as special characters and null characters, at both the client end and the server end.
Sanitizing user input is especially critical when it is incorporated into scripts or structured query language statements.
- Increase resource availability
Configure website caching to optimize resource availability. Optimizing a website’s resource availability increases the chance that it will withstand unexpectedly high amounts of traffic during DoS attacks.
- Implement cross-site scripting (XSS) and cross-site request forgery (XSRF) protections.
- Protect website systems, as well as website visitors, by implementing XSS and XSRF protections.
- Implement a Content Security Policy (CSP)
Website owners should also consider implementing a CSP. Implementing a CSP lessens the chances of an attacker successfully loading and running malicious JavaScript on the end user machine.
- Audit third-party code
Audit third-party services (e.g., ads, analytics) to validate that no unexpected code is being delivered to the end user. Website owners should weigh the pros and cons of vetting the third-party code and hosting it on the web server (as opposed to loading the code from the third party).
Implement additional security measures
Additional measures to prevent website attacks include:
- Running static and dynamic security scans against the website code and system,
- Deploying web application firewalls.
A good example of a web application firewall is Wordfence for those using the WordPress platform. - Leveraging content delivery networks to protect against malicious web traffic, and
- Providing load balancing and resilience against high amounts of traffic.
How Tech Prognosis Can Help You Prevent Website Attacks
We can help you and your organization prevent website attacks by managing your domain and website hosts on your behalf.
Most organizations promptly forget about their Internet domains once it is registered and a website goes online. There is hardly any thought given to what happens at the these separate levels: the registrar of the domain, DNS management, and the website hosting service. They are all critical to maintaining a secure web presence.
To get started, contact us at (512) 814-8044, or use our contact form to schedule a consultation.
For additional information and guidance about about CISA’s cyber security essentials, see:
