Website Security Cheatsheet

Here’s the cheat-sheet:

1. Ensure information assets on your website are classified using the same system your organization uses for all assets: If you do sensitive work or have private data (think health information), you need to inventorize and classify them so that you know WHAT you have and what it’s WORTH. Do you have a list of clients that needs to be kept secure? Are there online documents with passwords? How about detailed research about your target customer base? If your organization does not inventorize, value and classify all online assets, then engage a consulting firm like Xykon to conduct a baseline risk assessment so that recommended controls can be established organization-wide. This will ensure that security measures are commensurate with how your organization treats information classification and categorization as a whole.
2. Perform a risk assessment: It is the surest way to be confident that you know what your high risk areas are. Only once you have identified your high-risk areas can you effectively allocate resources to address them. No organization has unlimited funds to invest in cybersecurity. To help customers invest wisely, Xykon recommends understanding website risk, establishing an acceptable risk level (or risk appetite), and then linking these back to a risk management plan. Xykon specializes in using the NIST Cybersecurity Framework (NIST CSF) which is in turn used to implement NIST 800 and CSC top 20 critical security controls. We also specialize in ISO 27001/27002 and FISMA.
3. Practice Least Privilege: Least Privilege is the rule that “every process, user, or application can access ONLY the information and resources that are absolutely necessary and nothing more.” Least Privilege involves eliminating unnecessary administrators on the website’s front end and back end. Having only necessary (and trained) administrators reduces the chance of security holes being introduced unwittingly. Observing Least Privilege also requires roles to be clearly defined by allowable actions. For example, common roles like administrator, staff, editor, dues-paying member, or content approver are limited to certain behaviors within the site. A huge advantage of this is that hackers using compromised accounts are also constrained by those same rules.
4. Implement bare minimum controls: There are ten basic measures that Xykon recommends for all websites, regardless of type of content hosted:
   1. Implement a web application firewall.
   2. Utilize a Single Sign-On system, preferably one your organization already uses.
   3. Separate database and web servers.
   4. Restrict and control remote access to your database and web server by IP and username.
   5. Implement keys in addition to SSH usernames. Use 2-factor authentication for all access, remote or otherwise. Use of VPN for remote access depends on your risk assessment.
   6. Minimum password length of 15 characters. Use the longest usernames that your applications permit.
   7. Implement captcha.
   8. Limit and control file uploads.
   9. Disallow iframes.
   10. Disallow absolute links in code.
5. Utilize a code versioning system: Disallow developers direct access to production systems and instead have them utilize a code versioning system. Code versioning systems track when a code change is made and what that change is. It is extremely useful for rolling back to clean code versions after security holes or errors are introduced. Xykon uses Bitbucket and Github for managing our client code repositories
6. Collect detailed logs frequently and consistently: Logs are usually the first tool used by security experts to determine point of entry, trace activity, and draw conclusions about hacker’s end targets. Detailed logs can be crucial to timely recovery. As important as their role is though, most systems are setup with default logging which is often inadequate. Not only should logs be detailed, but they should also be sent to your organization’s log management system or SIEM (Security Information and Event Management) system like Arcsight. If your organization’s logs are not detailed or you do not have a log management system, consult with a security firm like Xykon to assist.
7. Encrypt using SSL: Ensure the website is only accessible using HTTPS. Prevent any insecure protocols such as FTP or Telnet. .
8. Implement a CDN ( content delivery network): Funnel access to all website static content through a CDN. In addition to limiting load on the website server, this helps protect against denial of service attacks.
9. Make backups: Ensure the website can be easily restored by implementing regular backups to a remote location. If your website gets hacked, sometimes the quickest thing to do is to put up a clean copy of your site ASAP. For that, you will need backups – safely stored, and taken at different time periods.
10. Educate your users and administrators: Your users should know what to do when attackers employ social engineering to penetrate your defences. Social engineering is when attackers directly target individuals with the sole intent of tricking users into installing malware or surrendering their credentials. Yet, sometimes the actual end target may be more than three-times removed from the initial attack. Hire a security firm to train your staff and partners to recognize signs of an attempted or successful attack and to report them to the right people as soon as possible. A consulting firm like Xykon will also ensure your website security training is linked with your organization’s broader security training program.

We hope this has been helpful cheatsheet. As you can see, there are multiple ways to increase web security. However, if you think there is something missing from this short list, please let us know on our contact form. Remember, before undertaking any major changes, do a risk assessment to ensure that you are focusing on the right problems and applying the best solutions.